- Researchers disclosed a critical flaw in WP Maps Pro allowing attackers to create hardcoded admin accounts
- Exploitation is active: Wordfence blocked over 3,600 attempts in a single day
- Patch released May 20 (v6.1.1); users must upgrade immediately
Criminals are actively exploiting a critical vulnerability in a popular WordPress plugin to create admin accounts and thus take over entire websites. This is according to multiple security researchers including David Brown (who first disclosed the flaw), and Defiant, who confirmed in-the-wild exploitation attempts.
The plugin in question is called WP Maps Pro, it is a premium WordPress plugin used to create customizable maps, interactive store locators, and similar, using either Google Maps or OpenStreetMap. The plugin is currently used by more than 15,000 websites, according to Envato Market numbers.
As per Brown’s research, the plugin suffered from a “privilege escalation via administrator account creation” vulnerability which allowed threat actors to create a new WordPress user with a hardcoded admin role. The vulnerability is now tracked as CVE-2026-8732, and carries a severity score of 9.8/10 (critical). It was found in versions 6.1.0 and older.
Applying a fix
Defiant, the cybersecurity company behind Wordfence, said its researchers observed and stopped more than 3,600 exploitation attempts in just one day.
“When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com,” the researchers said. “The function then generates a “magic login URL” using generate_login_link(), stores it as user meta, and returns it in the response body.”
The fix was released four days after initial disclosure, on May 20. Users are advised to upgrade to version 6.1.1 as soon as possible to avoid being targeted.
With WordPress powering much of today’s internet, it is also one of the most targeted platforms in existence. Its vast ecosystem of plugins and themes, both free and premium, are constantly being abused in attacks such as this one.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/PxxKy74xA4GapoubYuoRtK-2560-80.jpg
Source link
