WP Maps Pro plugin flaw to create admin accounts on WordPress sites saw 3,600… is attracting attention across the tech world. Analysts, enthusiasts, and industry observers are watching closely to see how this story develops.
This update adds another signal to a fast-moving sector where product decisions, platform changes, and competition can quickly shape the market.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
Criminals are actively exploiting a critical vulnerability in a popular WordPress plugin to create admin accounts and thus take over entire websites. This is as reported by multiple security researchers including David Brown (who first disclosed the flaw), and Defiant, who confirmed in-the-wild exploitation attempts.
The plugin in question is called WP Maps Pro, it is a premium WordPress plugin used to create customizable maps, interactive store locators, and similar, using either Google Maps or OpenStreetMap. The plugin is currently used by more than 15,000 websites, as reported by Envato Market numbers.
As per Brown’s research, the plugin suffered from a “privilege escalation via administrator account creation” vulnerability which allowed threat actors to create a new WordPress user with a hardcoded admin role. The vulnerability is now tracked as CVE-2026-8732, and carries a severity score of 9.8/10 (critical). It was found in versions 6.1.0 and older.
Defiant, the cybersecurity company behind Wordfence, said its researchers observed and stopped more than 3,600 exploitation attempts in just one day.
“When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com,” the researchers said. “The function then generates a “magic login URL” using generate_login_link(), stores it as user meta, and returns it in the response body.”
The fix was released four days after initial disclosure, on May 20. Users are advised to upgrade to version 6.1.1 as soon as possible to avoid being targeted.
With WordPress powering much of today’s internet, it is also one of the most targeted platforms in existence. Its vast ecoplatform of plugins and themes, both free and premium, are constantly being abused in attacks such as this one.
➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Please logout and then login again, you will then be prompted to enter your display name.
Why This Matters
This development may influence user expectations, future product strategy, and the competitive balance inside the broader technology industry.
Companies in adjacent segments often react quickly to similar moves, which is why stories like this tend to matter beyond a single announcement.
Looking Ahead
The full impact will become clearer over time, but the story already highlights how quickly the modern tech landscape can evolve.
Observers will continue tracking the next steps and how they affect products, users, and the wider market.
