Within the last 24 hours, an extremely critical vulnerability (CVE-2026-8732) has been discovered in the popular WordPress plugin 'WP Maps Pro', with active exploitation confirmed. This vulnerability poses a severe risk, allowing unauthenticated attackers to freely create administrator accounts on WordPress sites and take complete control of them. According to Wordfence reports, thousands of attacks have been blocked in the past 24 hours. Immediately update the plugin to the latest version to ensure site security.
Vulnerability Overview and Scope of Impact
CVE-2026-8732, present in WP Maps Pro plugin versions 6.1.0 and below, is a privilege escalation vulnerability classified as 'CRITICAL' with a CVSS score of 9.8. This issue stems from a flawed implementation of the plugin's 'Temporary Access' support feature. Originally intended to allow support staff to log into customer sites for troubleshooting, this feature was registered to the `wp_ajax_nopriv_` hook, and the necessary nonce (a temporary token) was exposed on the frontend page, making it exploitable by unauthenticated users.
Specific Impacts and Attack Scenarios
By exploiting this vulnerability, attackers can create an administrator user on any WordPress site without authentication. Once administrator privileges are acquired, attackers can perform various malicious operations, including tampering with website content, installing malicious plugins or themes, setting up backdoors, and even stealing confidential information. Notably, Wordfence has observed 2,858 attacks in the past 24 hours, indicating active exploitation.
Immediate Measures Engineers Should Take
The most crucial measure is to immediately update the WP Maps Pro plugin to **version 6.1.1 or higher**. This version fixes the vulnerability and restricts access to the endpoint to authenticated administrators only.
Additionally, as a general WordPress site security enhancement, it is highly recommended to apply server-level settings that prohibit the execution of PHP scripts within the `uploads` directory. This measure helps prevent the execution of malicious PHP files, such as webshells, even if an attacker manages to compromise the site and upload them.
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}The Nginx configuration above denies the execution of PHP files within the `uploads` or `files` directories. If you are using Apache, apply an equivalent `.htaccess` rule.
📦