Skip to content

WordPress Plugin WP Maps Pro: Unauthenticated Admin Accounts Possible

Bottom Line: CVE-2026-8732 enables automated creation of admin users in affected WordPress instances up to version 6.1.0 via an unsecured AJAX endpoint.

The premium WordPress plugin WP Maps Pro has a critical vulnerability that allows attackers to create administrator accounts without authentication. Wordfence documented over 3,600 blocked attack attempts within 24 hours.

The paid WordPress plugin WP Maps Pro from vendor Flippercode is affected by a critical security flaw that allows attackers to create new user accounts with full administrator privileges without prior authentication. The vulnerability (CVE-2026-8732) affects all versions up to and including 6.1.0. The plugin has already been sold over 15,800 times through the Envato marketplace and is used in numerous companies, real estate portals, and travel providers.

The security service provider Defiant, operator of the Wordfence protection software, recorded more than 3,600 blocked exploitation attempts within a 24-hour period. This points to automated, widespread attack campaigns. The technical cause lies in a support function that was intended to allow vendor personnel remote access to customer websites. Security researcher David Brown identified fundamental design flaws: the AJAX endpoint used for this purpose is publicly accessible, and authentication is based solely on a nonce value that is exposed in frontend JavaScript and can be easily read by attackers.

An attack proceeds fully automatically. The attacker sends a crafted HTTP request with the parameter check_temp=false to the unsecured endpoint. The plugin backend then calls the WordPress function wp_insert_user() and creates a new user with the Administrator role without further validation. The email address is fixed to support@flippercode.com, and the username is randomly generated. The system then generates a magic login link via the generate_login_link() function, stores it as metadata, and sends it directly in the HTTP response to the attacker. Accessing this URL results in automatic authentication in the WordPress dashboard with admin privileges, without a password prompt.

With a compromised administrator account, attackers can inject persistent backdoors into the source code, exfiltrate user data, distribute malware, or abuse the affected website for further attacks. Complete system compromise is the result. Users of WP Maps Pro should disable the plugin until a security patch is available or switch to alternative mapping solutions.


Source: www.it-daily.net · Published June 3, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.

Share on: