Vulnerability in WP Maps Pro for WordPress leveraged to generate admin accounts.

      TL;DR: A severe vulnerability (CVE-2026-8732, CVSS score 9.8) in the WP Maps Pro WordPress plugin enables unauthenticated attackers to create admin accounts and seize control of websites. Wordfence identified and blocked 2,858 attempts to exploit this vulnerability within 24 hours, and it was fixed in version 6.1.1.

      An important vulnerability in WP Maps Pro, a paid WordPress plugin with over 15,000 sales on the Envato Market, is actively being targeted by attackers to set up malicious administrator accounts on affected websites. This issue, recognized as CVE-2026-8732 with a CVSS rating of 9.8, allows unauthenticated individuals to obtain full admin control over any WordPress site using an unpatched version of the plugin.

      Wordfence, which uncovered this exploitation campaign, reported blocking 2,858 attacks aimed at this security flaw in the day leading up to its announcement. The vulnerability impacts all versions of WP Maps Pro up to and including 6.1.0 and was addressed in version 6.1.1, released on May 20, 2026. Security researcher David Brown discovered and reported the vulnerability.

      How the exploit functions:

      WP Maps Pro features a "temporary access" option for its support team to log into a customer's site during troubleshooting. This feature exposes an AJAX action named "wpgmp_temp_access_ajax," allowing the creation of a new WordPress user with admin rights. The security design of this feature was fundamentally flawed: the action was registered using WordPress’s “wp_ajax_nopriv_” hook, permitting unauthenticated users to call it.

      The only safeguard was a nonce check, meant to prevent cross-site request forgery. However, this nonce was publicly available on every frontend page of the site through the “wpgmp_local” JavaScript object, making it ineffective as a security control. Any user could access the nonce from the page source and utilize it to trigger the function.

      An attacker calling the endpoint with "check_temp=false" invokes the “wpgmp_temp_access_support()” function, which indiscriminately creates a new WordPress user with the administrator role and returns a magic login URL. Accessing that URL executes “wp_set_auth_cookie()”, fully authenticating the attacker as the newly created admin. This entire process, from the unauthenticated request to taking full control of the site, does not require any credentials, social engineering, or prior access.

      The plugin and its implications:

      WP Maps Pro enables site owners to incorporate customizable Google Maps and OpenStreetMap views with markers, listings, and advanced location features. It is frequently utilized as a store locator tool for businesses needing to assist users in finding nearby locations, viewing details, and getting directions. The plugin is offered via the Envato Market (CodeCanyon) rather than through the official WordPress plugin directory, meaning updates won't be delivered through the standard WordPress auto-update system.

      This distribution method presents a specific risk. Site owners who bought the plugin might not receive automatic alerts regarding security updates, and many WordPress sites are managed by non-technical individuals or agencies that do not keep track of vulnerability reports. Unlike large cybercrime infrastructures that law enforcement can target through server seizures, vulnerabilities in WordPress plugins are exploited via distributed, automated scanning campaigns that are challenging to disrupt.

      Recommended actions for site owners:

      The 6.1.1 patch limits the temporary access endpoint to authenticated administrators only. Site owners using WP Maps Pro should update immediately. If unable to update, they should disable the plugin until they can implement the patch. A practical first step to check for site compromises is to look for unexpected administrator accounts in the WordPress user list.

      This vulnerability exemplifies a recurring trend within the WordPress ecosystem: a support or debugging feature that grants heightened privileges but is safeguarded by a security measure that fails to effectively control access. Vulnerability disclosure programs and security researchers like Brown are crucial in identifying these issues before they can cause extensive damage, but the 2,858 attacks blocked in a single day indicate that the time frame between vulnerability disclosure and exploitation is now measured in hours rather than weeks.