Skip to main content
Emerging Threats

WP Maps Pro Flaw Exploited to Create Admin Accounts

WordPress dashboard on a laptop screen amidst a cluttered home office, symbolizing vulnerability.
CVE-2026-8732 (CVSS score: 9.8)

CVE-2026-8732 and the WP Maps Pro footprint

WP Maps Pro, a commercial WordPress plugin sold more than 15,000 times on the Envato Market, is at the center of a high-severity vulnerability tracked as CVE-2026-8732. The plugin, which enables site owners to embed Google Maps and OpenStreetMap with markers, listings and store-locator style features, contains a privilege-escalation bug that affects all versions prior to and including 6.1.0. The flaw was discovered and reported by security researcher David Brown and addressed by the plugin maintainers in version 6.1.1, released on May 20, 2026.

How the flaw allows complete site takeover

The vulnerability stems from a "temporary access" feature designed to let support staff log in during troubleshooting. Wordfence described the technical failure plainly: the wpgmp_temp_access_ajax AJAX action is registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism.

Because of that arrangement, unauthenticated actors can invoke the wpgmp_temp_access_support handler with check_temp=false. Wordfence explained the consequence in sequence: the handler "unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover."

Active exploitation and scale

The vulnerability has moved beyond disclosure into active exploitation. Wordfence reported that it has blocked 2,858 attacks targeting the issue over the past 24 hours. The combination of a very high CVSS score (9.8), a widely used commercial plugin, and an exploit path that yields administrative accounts makes the exposure acute for any site still running an affected version.

What this means for site owners, security teams, and plugin maintainers

  • Site owners: Sites running WP Maps Pro on versions up to and including 6.1.0 are exposed to unauthenticated creation of administrator accounts. The patch in version 6.1.1 restricts the endpoint so that only authenticated administrators can access it; the plugin maintainers released that fix on May 20, 2026. The published advisory emphasizes that updating to the latest release is essential for protection.
  • Security teams: The exploit yields immediate, full administrative control when successful. Wordfence's telemetry—2,858 blocked attempts in 24 hours—signals rapid targeting; teams monitoring web application logs and intrusion prevention systems should correlate for attempts against the wpgmp_temp_access_ajax action and related indicators disclosed by vendors.
  • Plugin maintainers: The gap originated in a support convenience feature whose access-control checks relied on a nonce that was publicly exposed. The maintainers' remediation replaces that access model by ensuring only authenticated administrators can reach the endpoint, illustrating the risk introduced when support interfaces are exposed without robust authentication.

A narrow, concrete takeaway

The technical mechanics are straightforward and the mitigation is binary: WP Maps Pro versions up to 6.1.0 contain a privilege-escalation flaw that can be triggered without authentication and has been actively exploited; version 6.1.1, published May 20, 2026, closes the vulnerability by limiting the endpoint to authenticated administrators. With Wordfence reporting thousands of blocked attempts in a single day and the plugin's commercial distribution exceeding 15,000 sales, the urgency to install the patch is immediate for any exposed site.

Original story: https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html

WP Maps Pro Flaw Exploited to Create Admin Accounts | OSINTSights