Threat actors are exploiting a critical-severity vulnerability in the WP Maps Pro WordPress plugin to take over websites, Defiant warns.
WP Maps Pro allows site administrators to embed Google Maps in their installations, customizable with advanced location, markers, and categories.
The exploited vulnerability, tracked as CVE-2026-8732 (CVSS score of 9.8), allows unauthenticated threat actors to create new administrative accounts and take over vulnerable sites.
WP Maps Pro has been designed to support tooling, which exposes a temporary access capability used by the vendor to log in to customer sites as part of troubleshooting operations.
According to Defiant, the security defect exists in a callback AJAX function used to handle the temporary access generation, which is protected only by a nonce check.
The nonce, it explains, is embedded in every frontend page and exposed to any unauthenticated user, which makes the nonce check ineffective.
Furthermore, the plugin does not include capability checks, thus allowing unauthenticated attackers to invoke the AJAX action with a check_temp parameter set to false and create a new WordPress user with the role of administrator.
The user is generated with a random username and with a hardcoded email address. Additionally, the function generates a magic login URL and returns it to the attacker, which can use it to authenticate without a password or additional verification.
“As a result, an attacker gains full administrator-level control over the site and can install malicious plugins, modify themes, inject backdoors, exfiltrate data, or deploy web shells for persistent access,” Defiant explains.
The vulnerability was addressed in WP Maps Pro version 6.1.1, which adds a capability check to restrict access to authenticated administrators.
Defiant says it has blocked over 1,700 attacks targeting the CVE-2026-8732 over the past 24 hours.
Related: CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day
Related: Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
Related: Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks
Related: Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover
