A severe vulnerability has been identified in the WP Maps Pro WordPress plugin, posing significant risks to website security. Security firm Defiant warns that this flaw is being actively exploited by malicious actors to hijack websites.
Understanding the WP Maps Pro Plugin
The WP Maps Pro plugin is widely used by site administrators to incorporate Google Maps into their sites, offering advanced customization with location markers and categories. However, a critical flaw, identified as CVE-2026-8732 with a CVSS score of 9.8, is currently being exploited.
This vulnerability allows unauthorized individuals to establish new administrative accounts on compromised sites, effectively taking control of them. The flaw stems from a temporary access feature designed to assist the vendor in troubleshooting, which inadvertently opens a backdoor for attackers.
Exploit Mechanics and Vulnerability Details
The vulnerability is found within a callback AJAX function responsible for generating temporary access, safeguarded only by a nonce check. This nonce is embedded on every frontend page, making it accessible to any visitor, thus rendering the security measure ineffective.
Furthermore, the plugin lacks proper capability checks, enabling attackers to invoke the AJAX action with a specific parameter set to bypass restrictions, creating an admin-level user with a predefined email and random username. This process also generates a magic login URL, allowing attackers to access the site without a password.
Consequences and Mitigation Efforts
Once an attacker gains admin-level access, they can install harmful plugins, alter themes, introduce backdoors, and extract sensitive data, as explained by Defiant. This vulnerability was patched in WP Maps Pro version 6.1.1, which includes a capability check to limit access to authorized administrators.
Defiant has reported blocking over 1,700 attacks targeting this vulnerability within a single day. Website administrators are strongly advised to update their plugins to the latest version to safeguard against these exploits.
In related news, other WordPress plugins, such as LiteSpeed cPanel and Post SMTP, have also faced security challenges, emphasizing the need for regular updates and vigilance in website security practices.
