A critical WordPress plugin flaw can let attackers create rogue administrator accounts. The issue hits WP Maps Pro and carries the identifier CVE-2026-8732, with a 9.8 CVSS score.
Wordfence says attackers have actively exploited vulnerable WP Maps Pro versions. The NVD record describes a path that could let an unauthenticated attacker create a WordPress user with administrator permissions.
What WP Maps Pro sites need to know
WP Maps Pro gives WordPress sites mapping and store-locator features. The CVE description says vulnerable releases include versions up to and including 6.1.0. Reports say version 6.1.1 fixes the bug, so site owners using the plugin should update now.
The risk comes from the access level. This flaw does not stop at a front-end glitch. A successful attack can hand over a full administrator login, letting the intruder change settings, add malware, create more users, or take over the site.
Why the bug is so serious
The problem traces back to a temporary-access feature meant to help support staff troubleshoot customer sites. The NVD description says a public AJAX path and weak access-control check opened a route to administrator account creation without a login.
Wordfence credited security researcher David Brown with finding and reporting the bug. The Hacker News also reported that Wordfence blocked 2,858 exploit attempts against the issue in 24 hours. That makes this an active incident, not just another plugin changelog note.
What admins should check now
Any site using WP Maps Pro should confirm version 6.1.1 or later, then review the WordPress user list for unfamiliar administrators. Admins should also check recent logins, rotate credentials if anything looks suspicious, and look for unexpected plugins, redirects, or scheduled tasks.
The story fits the software-supply-chain pattern Tech My Money has been tracking, including the recent Miasma worm campaign against Microsoft GitHub repositories. Attackers keep aiming at trusted tools because one weak plugin or workflow can become a shortcut into many sites at once.
