Vulnerability in WP Maps Pro for WordPress exploited to generate admin accounts.

      TL;DR: A serious vulnerability (CVE-2026-8732, CVSS 9.8) in the WP Maps Pro WordPress plugin enables unauthenticated attackers to create admin accounts and potentially seize control of websites. Wordfence reported blocking 2,858 exploitation attempts within a 24-hour period, and the flaw has been addressed in version 6.1.1.

      A critical vulnerability in WP Maps Pro, a paid WordPress plugin with over 15,000 sales on the Envato Market, is currently being exploited by attackers to establish malicious administrator accounts on vulnerable websites. The issue, identified as CVE-2026-8732 and rated with a CVSS score of 9.8, permits unauthenticated users to attain complete administrative control over any WordPress installation that is running an unpatched version of the plugin.

      Wordfence, which uncovered the exploitation efforts, reported blocking 2,858 attempts targeting the vulnerability within the 24 hours leading up to its announcement. The issue affects all versions of WP Maps Pro up to and including 6.1.0 and was corrected in version 6.1.1, which was released on May 20, 2026. The vulnerability was discovered and reported by security researcher David Brown.

      Exploit Mechanics

      WP Maps Pro features a “temporary access” function intended to allow the plugin’s support team to log into a customer’s site for troubleshooting purposes. This feature exposes an AJAX action named “wpgmp_temp_access_ajax,” which can create a new WordPress user with administrator rights. However, the security framework for this feature was inherently flawed; the action was registered with WordPress’s “wp_ajax_nopriv_” hook, permitting unauthenticated visitors to access it.

      The only safeguard implemented was a nonce check, a token designed to prevent cross-site request forgery. However, this nonce was publicly included on each frontend page through the “wpgmp_local” JavaScript object, eliminating its effectiveness as a security measure. Any visitor could obtain the nonce from the page source and use it to execute the function.

      An attacker can call the endpoint with the parameter “check_temp=false,” which activates the “wpgmp_temp_access_support()” function. This function indiscriminately generates a new WordPress user with a hardcoded administrator role and returns a special login URL. Accessing that URL triggers “wp_set_auth_cookie()” to entirely authenticate the attacker as the newly created administrator. This entire process—from making an unauthenticated request to achieving full site control—requires no credentials, social engineering, or prior access.

      Plugin Overview

      WP Maps Pro enables site owners to incorporate customizable Google Maps and OpenStreetMap views, complete with markers, listings, and advanced location features. It is frequently utilized as a store locator tool for businesses looking to assist users in finding nearby locations, viewing details, and obtaining directions. The plugin is available for purchase through the Envato Market (CodeCanyon) rather than being listed in WordPress’s official plugin directory, resulting in updates not being relayed through the conventional WordPress auto-update system.

      This distribution approach presents a unique risk. Site owners who have bought the plugin might not receive automatic alerts about the security update, and many WordPress installations are managed by non-technical users or agencies that do not monitor security disclosures. Unlike major cybercrime operations that law enforcement can address through server seizures, vulnerabilities in WordPress plugins are commonly exploited through distributed, automated scanning efforts that are hard to disrupt.

      Actions for Site Owners

      The patch included in version 6.1.1 confines the temporary access endpoint to authenticated administrators only. Site owners using WP Maps Pro should update their installations immediately. If an update cannot be performed, they should disable the plugin until the patch can be applied. A practical first step for assessing whether a site has been compromised is to check for any unexpected administrator accounts in the WordPress user list.

      This vulnerability exemplifies a recurring issue within the WordPress ecosystem: a support or debugging feature that grants higher privileges, secured by a security mechanism that fails to adequately restrict access. Vulnerability disclosure programs and security researchers like Brown are vital in identifying these flaws before they can inflict wide-scale damage, but the 2,858 attacks blocked in just one day highlight that the gap between disclosure and exploitation is now measured in hours rather than weeks.