01 June 2026
Reference: CVE-2026-8732
1. What is being reported?
The WP Maps Pro plugin used on WordPress websites has a flaw that lets unauthorised people create new administrator accounts. This happens because a security check meant to stop this can be bypassed, allowing attackers to log in as administrators without needing a password.
2. What this means in plain English
If your website uses this plugin, attackers could take over your site completely. They might change content, steal information, or use your site to attack others. This is a high-risk issue because it gives full control to someone who should not have it.
3. Could this affect a small business?
Small businesses, charities, clubs, or any organisation using WordPress with the WP Maps Pro plugin version 6.1.0 or earlier are at risk. If you do not use this plugin, or use a different mapping tool, you are likely not affected.
4. What to do now
- Check if your website uses the WP Maps Pro plugin and identify its version.
- Contact your website manager or IT provider immediately to update the plugin to a safe version if available.
- If an update is not yet available, ask your IT provider about temporary measures to block unauthorised access.
- Review your website’s user accounts for any unknown administrators and remove them.
5. Ask your IT provider
Can you confirm if our WordPress site uses the WP Maps Pro plugin version 6.1.0 or earlier, and if so, have you applied the necessary updates or protections against the CVE-2026-8732 vulnerability?
6. Bottom line
If you use WP Maps Pro on your WordPress site, act quickly to prevent hackers from taking control.
Information based on CISA KEV, NVD, and reputable security reporting.