GoKawiilHackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication.
The vulnerability, tracked as CVE-2026-8732, has a critical severity rating and impacts WP Maps Pro versions 6.1.0 and older. It was discovered and reported by security researcher David Brown.
WP Maps Pro is a premium WordPress plugin for building interactive, customizable maps and store locators. It supports multiple map providers, such as Google Maps and OpenStreetMap.
The plugin is typically used by businesses, real estate websites, travel sites, directories, and organizations that need to display multiple locations on a map, and has over 15,800 sales on the Envato Market.
The CVE-2026-8732 vulnerability is caused by a “temporary access” feature in the plugin, intended to allow vendor support staff to access customer sites for troubleshooting.
Brown found that the AJAX endpoint used for this feature was accessible to unauthenticated users and relied solely on a publicly exposed nonce check in frontend JavaScript, rendering the protection ineffective.
This allows sending a specially crafted request that triggers code to create a new WordPress user, assign it the administrator role, generate a passwordless login URL, and send it to a remote system.
Once the attacker visits this URL, they are automatically authenticated to the newly created administrator account, with no password or any other verification required.
Researchers at WordPress security company Defiant observed that threat actors are trying to exploit the vulnerability, and blocked more than 3,600 attempts over the past 24 hours.
Creating a rogue admin user
... continue reading