A critical security vulnerability in WP Maps Pro, a popular WordPress plugin sold over 15,000 times on the Envato Market, is being actively exploited by threat actors to create malicious administrator accounts on vulnerable websites. Security researchers have observed ongoing exploitation attempts targeting sites running the affected plugin, which allows attackers to gain complete administrative control over compromised WordPress installations.

WP Maps Pro is a widely used plugin that enables WordPress site owners to embed customizable Google Maps and OpenStreetMap features, including markers, listings, and advanced location capabilities. The plugin's popularity and widespread deployment make it an attractive target for attackers seeking to compromise multiple websites through a single vulnerability.

The security flaw allows unauthenticated attackers to create administrator-level accounts without proper authorization checks. Once exploited, threat actors gain full control over the affected WordPress site, enabling them to modify content, install additional malicious plugins, steal sensitive data, or use the compromised site as part of a larger attack infrastructure. The active exploitation indicates that attackers have developed reliable exploit code and are systematically scanning for vulnerable installations.

Website owners running WP Maps Pro face significant risk of complete site compromise if the vulnerability remains unpatched. Successful exploitation can lead to data breaches, defacement, malware distribution, search engine blacklisting, and potential legal liability if the compromised site is used to attack others. Organizations using this plugin may also face compliance violations if customer data is exposed through the vulnerability.

Administrators should immediately update WP Maps Pro to the latest patched version and conduct a thorough audit of all user accounts, particularly those with administrator privileges. Any suspicious or unrecognized administrator accounts should be removed immediately. Site owners should also review recent plugin installations, file modifications, and access logs for signs of compromise. Organizations unable to update immediately should consider temporarily disabling the plugin until patches can be applied, weighing the security risk against the loss of map functionality.

Source: https://nvd.nist.gov/vuln/detail/CVE-2026-8732