A bug in a popular WordPress plugin is letting hackers create their own administrator accounts on business websites — no password, no login, no permission needed. It’s being actively exploited right now, and if your site runs the plugin, you’re a target.
This week in brief
-
A fake “verify you’re human” page is spreading remote-control malware. The SmartApeSG campaign tricks people into copying and pasting a command that installs a remote access tool, then pulls down NetSupport RAT to hand attackers full control of the machine. SANS Internet Storm Center is tracking it. If an employee ever sees a page telling them to paste something into a Windows box to “fix” access, that’s the attack — stop right there.
-
Your payment apps are paying attention to what you write. A new book covered on the Malwarebytes Lock and Code podcast documents small businesses getting cut off by Stripe, PayPal, and Venmo over what they sell or say — sometimes by mistake. Worth knowing if your business depends on a single payment processor. Have a backup.
The one that matters: a WordPress plugin is creating admin accounts for hackers
If your business website runs on WordPress — and a huge number of small business sites do — pay attention to this one.
There’s a plugin called WP Maps Pro. It builds those interactive maps and store locators you see on real estate sites, travel sites, directories, and any business that needs to show multiple locations. It’s sold over 15,800 copies. Plenty of small business sites are running it right now.
A security researcher named David Brown found a critical flaw in it, now tracked as CVE-2026-8732. Here’s what makes it bad. The plugin had a “temporary access” feature, meant to let the vendor’s support staff log into a customer’s site for troubleshooting. Reasonable idea. The problem is how it was protected — or rather, how it wasn’t. The feature ran through an endpoint that unauthenticated users could reach, and the only thing guarding it was a security token sitting in plain sight in the site’s frontend JavaScript. Anyone could read it. Which means anyone could use it.
So an attacker sends one specially crafted request. The plugin then creates a brand-new WordPress user, hands it the administrator role, generates a passwordless login link, and ships that link off to the attacker. They click it. They’re in. Full admin. No password ever entered, no verification of any kind. Bleeping Computer has the full breakdown.
Once someone has admin on your WordPress site, it’s game over for that site. They can plant backdoors that survive cleanup, deploy web shells, install malicious plugins, swap out your content, and read any private data the site touches. A common move is to inject code that redirects your visitors to scam pages or quietly skims payment details — which turns your own website into a weapon against your customers.
This isn’t theoretical. The security firm Defiant, which makes Wordfence, watched attackers go after this flaw and blocked more than 3,600 attempts in a single 24-hour window. People are actively scanning the internet for vulnerable sites as you read this.
The flaw affects WP Maps Pro version 6.1.0 and everything older. The vendor released 6.1.1 on May 20 with the fix. So the patch exists — the only question is whether you’ve installed it.
Why should a business owner care about a map plugin? Because this is how most small business websites get popped. Not some elaborate nation-state operation — a vulnerable plugin nobody updated, found by an automated scanner, exploited in seconds. Your site is your storefront and often your reputation. A defaced or malware-laced site embarrasses you in front of every customer who visits, and Google will flag it, killing your search traffic on top of everything else.
The frustrating part: this is one of the most preventable kinds of breach there is. Keeping WordPress and its plugins updated stops the overwhelming majority of these attacks cold. Most owners just don’t have anyone watching for it.
What to do right now
- If your site uses WP Maps Pro, update it to 6.1.1 immediately. Anything 6.1.0 or older is exploitable and being attacked right now. The update takes minutes.
- Check your WordPress user list for accounts you don’t recognize — especially any new administrator. The hardcoded email tied to this attack is [email protected]. If you see a strange admin, delete it and assume the site was compromised.
- Update every other plugin while you’re in there. Outdated plugins are the number one way WordPress sites get hacked. If you haven’t logged in for a while, you probably have several waiting.
- Turn on automatic updates for plugins if your site can tolerate them, so you’re not depending on memory.
- Make sure you have a clean, recent backup stored somewhere off the site. If a site does get hit, a good backup is the difference between a bad afternoon and a bad month. Backups and recovery are something we set up and manage for clients.
If you’ve got a WordPress site running your business and no one’s actually watching it for this stuff, that’s a gap worth closing — it’s exactly the kind of thing we handle for small businesses so you don’t have to think about it. Book a free 15-minute consult and we’ll tell you straight where you stand.