Wordfence reports rapid exploitation of the WP Maps Pro vulnerability, blocking nearly 2,858 attacks in a 24-hour window, underscoring the urgency for site owners to update to the latest version.

Readers are urged to update to the newest WP Maps Pro release to mitigate ongoing exploitation and prevent administrator account compromise.

The flaw affects WP Maps Pro versions up to 6.1.0 and was discovered by security researcher David Brown, with validation from Defiant researchers.

Defiant and Wordfence confirm active exploitation of the vulnerability publicly disclosed by Brown.

WP Maps Pro is a premium plugin used to embed maps and store locators on WordPress sites, broadening the impact for sites relying on it.

With estimates that more than 15,000 sites rely on WP Maps Pro, attackers view it as a high-value target.

Background context includes Wordfence advisories and other WordPress plugin vulnerabilities for readers seeking broader security context.

The critical CVE-2026-8732 flaw in WP Maps Pro allows unauthenticated creation of administrator accounts via a flawed temporary access feature.

Attackers can obtain a random username and a hardcoded email, receive a magic login URL, and authenticate without a password, granting full admin access.

An exposed AJAX endpoint that relied only on a public nonce check enabled crafted requests to create new administrators and a passwordless login link.

Wordfence notes attackers started exploiting immediately after disclosure, with 2,003 attacks blocked in the 24 hours before the patch.

In total, 2,858 exploitation attempts were blocked within 24 hours, and the issue affected all versions up to 6.1.0; a fix arrived in 6.1.1 released May 20, 2026.