Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
WP Maps Pro Vulnerability Exploited to Create Admin Accounts

WP Maps Pro Vulnerability Exploited to Create Admin Accounts

Posted on June 1, 2026 By CWS

Cybersecurity experts are raising alarms about a critical flaw in the WP Maps Pro plugin for WordPress, which attackers are actively exploiting to establish unauthorized administrator accounts. This vulnerability affects more than 15,000 installations of the plugin sold through the Envato Market.

Understanding the WP Maps Pro Plugin

WP Maps Pro is a popular WordPress plugin that enables website owners to integrate customizable Google Maps and OpenStreetMap features. Its functionalities include adding markers, listings, and offering advanced location services, commonly used as store locators to help users find nearby locations and directions.

The Nature of the Security Flaw

The vulnerability identified as CVE-2026-8732, with a severity rating of 9.8, is a privilege escalation bug. This flaw permits unauthenticated attackers to create a WordPress user with full administrative rights, potentially giving them control over the affected site. All versions up to and including 6.1.0 of the plugin are susceptible, though the issue is resolved in version 6.1.1. The security researcher David Brown is credited with discovering this flaw.

At the core of the problem is the plugin’s ‘temporary access’ feature, intended for support staff to troubleshoot client websites. The lax security of this feature allows unauthenticated users to exploit the ‘wpgmp_temp_access_support()’ function, leading to unauthorized account creation.

Technical Insights and Mitigation

According to Wordfence, the vulnerability is due to the ‘wpgmp_temp_access_ajax’ action being inadequately protected, relying solely on a nonce check. Since this nonce is publicly accessible through the frontend, it fails to serve as an effective access control measure. This loophole lets attackers invoke the handler with ‘check_temp=false’, creating an administrator user through ‘wp_insert_user()’ and granting full site access via a magic login URL.

To combat this threat, a patch was released on May 20, 2026, restricting access to authenticated administrators only. Despite this fix, the flaw is being actively targeted, as evidenced by Wordfence’s recent blocking of 2,858 attack attempts within a single day.

Conclusion and Recommendations

The ongoing exploitation of this vulnerability underscores the urgency for site owners using WP Maps Pro to immediately update to the latest version. Ensuring your website’s security is paramount to prevent unauthorized access and potential site takeovers.

The Hacker News Tags:admin account creation, CVE-2026-8732, Cybersecurity, Envato Market, plugin vulnerability, privilege escalation, website protection, Wordfence, WordPress security, WP Maps Pro

Post navigation

Previous Post: Microsoft Enforces Stricter Entra ID Password Reset Protocols
Next Post: Palo Alto Networks Vulnerability Under Active Exploitation

Related Posts

EtherRAT Uses GitHub Facades to Target Admin Accounts EtherRAT Uses GitHub Facades to Target Admin Accounts The Hacker News
AI Finds 21 Zero-Day Bugs in FFmpeg; Chrome Fixes 429 Issues AI Finds 21 Zero-Day Bugs in FFmpeg; Chrome Fixes 429 Issues The Hacker News
Key SOC Steps to Minimize Incident Risks Key SOC Steps to Minimize Incident Risks The Hacker News
Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature The Hacker News
What Sets Top-Tier Platforms Apart? What Sets Top-Tier Platforms Apart? The Hacker News
Fortinet Exploited, China’s AI Hacks, PhaaS Empire Falls & More Fortinet Exploited, China’s AI Hacks, PhaaS Empire Falls & More The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • 7-Zip Flaw Risks Remote Code Execution for Millions
  • Hackers Sentenced for Disrupting London Transport Systems
  • JetBrains Fixes Critical Security Flaws in Key Products
  • Dutch Police Break Up €100 Million Fraud Network
  • AI Security Testing Evolves with New Threats

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • 7-Zip Flaw Risks Remote Code Execution for Millions
  • Hackers Sentenced for Disrupting London Transport Systems
  • JetBrains Fixes Critical Security Flaws in Key Products
  • Dutch Police Break Up €100 Million Fraud Network
  • AI Security Testing Evolves with New Threats

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark