If your small business website runs WordPress with the WP Maps Pro plugin — a popular store-locator and Google Maps add-on — there is a critical flaw being actively exploited right now that lets a stranger on the internet create a full administrator account on your site, with no password and no clicks from you. Attackers can then take over the site, plant malware, redirect customers, or harvest data. This is one of the fastest-moving WordPress attacks of 2026, and it directly affects the kind of small-business websites common across York County.
What happened
Security researchers disclosed CVE-2026-8732, a critical (CVSS 9.8) vulnerability in the WP Maps Pro WordPress plugin. The flaw, tracked as CVE-2026-8732 with a CVSS score of 9.8, allows unauthenticated users to gain full administrative control of any WordPress installation running an unpatched version of the plugin.
The root cause is a "temporary access" feature the plugin's developers built so their own support staff could log into customer sites. That feature registered an AJAX action called wpgmp_temp_access_ajax using WordPress's wp_ajax_nopriv_ hook, which means unauthenticated users can call it. The only protection was a nonce check, but the nonce itself was embedded publicly into every frontend page of the site via wp_localize_script. Translation: the "security check" was printed in plain text on every page of your own website, so any attacker could read it and walk in.
An attacker who calls the endpoint with the parameter "check_temp=false" triggers the "wpgmp_temp_access_support()" function, which unconditionally creates a new WordPress user with the hardcoded role of administrator and returns a magic login URL. One HTTP request, and an attacker is now an admin on your site.
Why this matters for small businesses
WP Maps Pro is sold on Envato Market and is widely used by businesses that need a store locator, service-area map, or location finder on their website — exactly the kind of feature small contractors, retailers, restaurants, and service businesses bolt onto a WordPress site. The vulnerability carries a CVSS score of 9.8 and affects a commercial plugin with over 15,800 sales through Envato Market.
Exploitation isn't theoretical. Wordfence blocked 2,858 exploitation attempts in 24 hours, with the flaw patched in version 6.1.1. Once an attacker has admin, they can install backdoors, redirect your customers to phishing or malware pages, scrape customer data from contact forms and orders, send spam from your domain (wrecking your email deliverability), or hold the site hostage. Because the attacker is using a legitimate admin login they created, generic malware scanners often miss it — there are no obviously "infected" files to flag. You can review York Computer's managed IT services for a clearer picture of what proactive website and endpoint monitoring looks like.
What your managed-IT provider should be doing this week
If you have an MSP or web partner managing your WordPress site, this is what good looks like right now:
The plugin maintainers addressed the issue on May 20, 2026, with the release of version 6.1.1. The fix is straightforward: the endpoint now requires the requesting user to already be an authenticated administrator before it'll do anything. All versions up to and including 6.1.0 remain vulnerable. Step one is to update WP Maps Pro to 6.1.1 (or newer) immediately, or disable the plugin if you can't update right away.
Step two is to assume you may have already been hit and prove otherwise. After updating, immediately audit your WordPress user list for unrecognised administrator accounts — particularly recently created accounts with unusual usernames or email addresses. Check the WordPress activity logs for user creation events from external IP addresses. If a rogue admin shows up, treat the site as compromised: rotate every credential, review installed themes and plugins for backdoors, and check for injected scripts or redirects.
Step three is structural: enforce MFA on every WordPress admin account, keep plugins on a managed update cadence (not "whenever someone remembers"), and put a web application firewall in front of the site so a future zero-day gets blocked at the door instead of executing inside your site.
Bigger picture: the patch window is shrinking
The thing that should worry every small-business owner about this incident isn't the plugin itself — it's the speed. Vulnerability disclosure programmes and security researchers like Brown play a critical role in catching these flaws before they cause widespread damage, but the 2,858 attacks blocked in a single day demonstrate that the window between disclosure and exploitation is now measured in hours, not weeks.
That is why "we'll patch it next month" is no longer a viable IT posture for any business that depends on its website, email, or cloud apps. Patch management, monitoring, and an actual incident-response plan need to be in place before the next critical CVE drops — not after.
What York Businesses Should Do
If your York County business runs a WordPress site with WP Maps Pro — common on contractor, retail, and restaurant sites that need a store locator or service-area map — update to version 6.1.1 today and audit your WordPress admin user list this week. If you're not sure who's responsible for patching your site, that's the gap to close first.
Sources
- WP Maps Pro WordPress flaw exploited to create admin accounts (TheNextWeb)
- CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password (Security Affairs)
- WP Maps Pro WordPress Plugin Privilege Escalation (CVE-2026-8732): Actively Exploited (Threat-Modeling.com)
- Vulnerability Intelligence Report — June 1, 2026 (Threat-Modeling.com)
- CVE-2026-8732 Detail (NVD)