Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical WP Maps Pro Flaw Endangers WordPress Sites

Critical WP Maps Pro Flaw Endangers WordPress Sites

Posted on June 1, 2026 By CWS

A severe vulnerability has been identified in the WP Maps Pro WordPress plugin, posing significant risks to website security. Security firm Defiant warns that this flaw is being actively exploited by malicious actors to hijack websites.

Understanding the WP Maps Pro Plugin

The WP Maps Pro plugin is widely used by site administrators to incorporate Google Maps into their sites, offering advanced customization with location markers and categories. However, a critical flaw, identified as CVE-2026-8732 with a CVSS score of 9.8, is currently being exploited.

This vulnerability allows unauthorized individuals to establish new administrative accounts on compromised sites, effectively taking control of them. The flaw stems from a temporary access feature designed to assist the vendor in troubleshooting, which inadvertently opens a backdoor for attackers.

Exploit Mechanics and Vulnerability Details

The vulnerability is found within a callback AJAX function responsible for generating temporary access, safeguarded only by a nonce check. This nonce is embedded on every frontend page, making it accessible to any visitor, thus rendering the security measure ineffective.

Furthermore, the plugin lacks proper capability checks, enabling attackers to invoke the AJAX action with a specific parameter set to bypass restrictions, creating an admin-level user with a predefined email and random username. This process also generates a magic login URL, allowing attackers to access the site without a password.

Consequences and Mitigation Efforts

Once an attacker gains admin-level access, they can install harmful plugins, alter themes, introduce backdoors, and extract sensitive data, as explained by Defiant. This vulnerability was patched in WP Maps Pro version 6.1.1, which includes a capability check to limit access to authorized administrators.

Defiant has reported blocking over 1,700 attacks targeting this vulnerability within a single day. Website administrators are strongly advised to update their plugins to the latest version to safeguard against these exploits.

In related news, other WordPress plugins, such as LiteSpeed cPanel and Post SMTP, have also faced security challenges, emphasizing the need for regular updates and vigilance in website security practices.

Security Week News Tags:administrator account, AJAX function, CVE-2026-8732, cybersecurity threat, Defiant, nonce issue, plugin vulnerability, security patch, site takeover, WordPress security, WP Maps Pro

Post navigation

Previous Post: Miasma Attack Targets Red Hat npm Packages with Worm
Next Post: Magento Cache Plugin Flaw Enables Remote Code Attacks

Related Posts

Stealthy Attack Risks in Claude Code OAuth Tokens Revealed Stealthy Attack Risks in Claude Code OAuth Tokens Revealed Security Week News
GRC Firm Vanta Raises 0 Million at .15 Billion Valuation GRC Firm Vanta Raises $150 Million at $4.15 Billion Valuation Security Week News
Iran’s Cyber Offensive Intensifies Post Epic Fury Strikes Iran’s Cyber Offensive Intensifies Post Epic Fury Strikes Security Week News
Apple Blocks 2 Million App Store Apps for Security in 2025 Apple Blocks 2 Million App Store Apps for Security in 2025 Security Week News
Popular Scraping Tool’s NPM Package Compromised in Supply Chain Attack Popular Scraping Tool’s NPM Package Compromised in Supply Chain Attack Security Week News
Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • CISA Alerts on Critical Fortinet Vulnerabilities
  • New SharePoint Security Gap Exploited After Disclosure
  • CISA Highlights Exploited SharePoint Vulnerability
  • Coca-Cola Halts Fairlife Production Following Cyber Attack
  • 7-Zip Flaw Risks Remote Code Execution for Millions

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • CISA Alerts on Critical Fortinet Vulnerabilities
  • New SharePoint Security Gap Exploited After Disclosure
  • CISA Highlights Exploited SharePoint Vulnerability
  • Coca-Cola Halts Fairlife Production Following Cyber Attack
  • 7-Zip Flaw Risks Remote Code Execution for Millions

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark