Critical WordPress Plugin Vulnerability Actively Exploited by Attackers

Website owners using the WP Maps Pro plugin are being urged to update immediately after security researchers confirmed active attacks targeting a critical vulnerability in the software. The flaw, identified as CVE-2026-8732, has received a severity rating of 9.8 out of 10, making it one of the most serious WordPress vulnerabilities reported this year. WP Maps Pro is a widely used plugin with more than 15,000 sales through the Envato Market platform.
According to security researchers, the vulnerability allows attackers to create administrator accounts without needing a username, password, or any form of authentication. Once an administrator account is created, attackers can gain complete control of the affected website.
The issue was traced to a temporary access feature that was originally designed to help support teams troubleshoot customer websites. However, researchers discovered that the protection mechanism used by the feature could be bypassed because the required security token was publicly available on website pages, making it accessible to anyone.
Security companies have already observed active exploitation attempts in the wild. Attackers have been using the flaw to install malicious plugins, create hidden backdoors, upload web shells, and steal sensitive website data. In one 24-hour period alone, security firm Wordfence reported blocking more than 2,800 attack attempts targeting vulnerable websites.
A security update addressing the issue was released on May 20, 2026, as part of WP Maps Pro version 6.1.1. Website administrators are strongly advised to update to the latest version as soon as possible and review their user accounts for any unauthorized administrator access.
The incident serves as another reminder that delayed software updates can leave websites exposed to serious security risks. Regular patching, security monitoring, and user account reviews remain essential for protecting WordPress environments from emerging threats.