Executive Summary
A critical privilege escalation vulnerability (CVE-2026-8732) has been identified in the WP Maps Pro plugin for WordPress, affecting all versions up to and including 6.1.0. The flaw carries a CVSS score of 9.8, reflecting its unauthenticated, network-exploitable nature.
The vulnerability allows an unauthenticated attacker to create administrator-level WordPress accounts without any credentials. The root cause is a misconfigured AJAX handler — wpgmp_temp_access_ajax — which is registered with WordPress's wp_ajax_nopriv_ hook (allowing unauthenticated access) and protected only by a nonce check that can be bypassed or obtained trivially.
Any WordPress site running WP Maps Pro version 6.1.0 or earlier should update immediately or disable the plugin until a patch is confirmed.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-8732 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-269 — Improper Privilege Management |
| Type | Privilege Escalation / Unauthenticated Admin Account Creation |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Patch Available | Check vendor/Wordfence for latest status |
Affected Versions
| Plugin | Affected Versions | Fixed Version |
|---|---|---|
| WP Maps Pro | <= 6.1.0 (all versions) | TBD — monitor plugin changelog |
Technical Analysis
Root Cause
The WP Maps Pro plugin registers an AJAX action wpgmp_temp_access_ajax using WordPress's wp_ajax_nopriv_ hook. This hook makes the action accessible to unauthenticated users — anyone without a WordPress session.
The action is protected only by a nonce check using the fc-call nonce. However, nonces in WordPress are not secrets in the traditional sense — they can often be retrieved from publicly accessible pages or responses, making them insufficient as an authentication control when used in nopriv_ contexts.
The vulnerable handler ultimately performs a privileged operation: creating a WordPress administrator account. Because there is no capability or role check prior to this action, any HTTP request that satisfies the nonce requirement can trigger admin account creation.
Attack Flow
1. Attacker identifies a WordPress site running WP Maps Pro <= 6.1.0
2. Attacker retrieves the fc-call nonce from a public page
(e.g., via the plugin's frontend assets or page source)
3. Attacker crafts a POST request to wp-admin/admin-ajax.php:
- action: wpgmp_temp_access_ajax
- nonce: [retrieved nonce]
- username/email/password: [attacker-controlled values]
- role: administrator
4. Plugin processes the request without verifying caller's authentication
5. WordPress creates a new administrator account with attacker's credentials
6. Attacker logs in as administrator with full site controlWhy This Is Exploitable
wp_ajax_nopriv_explicitly allows unauthenticated callers- Nonces are publicly observable via page source on many WordPress setups
- No
current_user_can()check is performed before account creation - The flaw requires no prior knowledge of existing users or credentials
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Site Takeover | Attacker gains WordPress administrator access |
| Content Manipulation | Admin can modify, delete, or deface all content |
| Plugin/Theme Abuse | Malicious plugins or backdoored themes can be installed |
| Data Exfiltration | Access to all registered users, posts, and plugin data |
| Persistent Access | Attacker-created admin accounts survive plugin updates |
| SEO/Spam Injection | Admin access enables SEO poisoning, spam content insertion |
| Hosting Pivot | Shared hosting compromise can affect co-hosted sites |
Immediate Remediation
Step 1: Update WP Maps Pro
Check the plugin's official WordPress.org repository or the vendor's website for a patched version and update immediately.
# Via WP-CLI
wp plugin update wp-maps-pro
# Verify installed version
wp plugin get wp-maps-pro --field=versionOr navigate to WordPress Admin > Plugins > Installed Plugins > WP Maps Pro > Update.
Step 2: Disable Plugin Until Patched
If an update is not available or cannot be applied immediately, deactivate the plugin:
# Via WP-CLI
wp plugin deactivate wp-maps-proOr use WordPress Admin > Plugins > WP Maps Pro > Deactivate.
Step 3: Audit for Unauthorized Accounts
# List all administrator accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered
# Check for recently created admins (last 7 days)
wp db query "SELECT user_login, user_email, user_registered FROM wp_users
WHERE user_registered > DATE_SUB(NOW(), INTERVAL 7 DAY);"
# Cross-reference with legitimate administratorsStep 4: Remove Malicious Accounts and Harden
# Delete unauthorized administrator accounts
wp user delete <suspicious-user-id> --reassign=<legitimate-admin-id>
# Regenerate WordPress secret keys
wp config shuffle-salts
# Invalidate all active sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected administrator accounts | Attacker-created persistent access accounts |
POST requests to admin-ajax.php?action=wpgmp_temp_access_ajax | Exploitation attempt in access logs |
| New users registered with recent timestamps and admin roles | Post-exploitation account creation |
| Unauthorized plugin installations or file modifications | Active post-compromise activity |
| Login events from unfamiliar IP addresses on admin accounts | Attacker using created account |
Post-Remediation Checklist
- Update WP Maps Pro to the latest patched version
- Disable the plugin if no patch is available
- Audit all administrator accounts — remove unauthorized entries
- Reset passwords for all legitimate administrators
- Regenerate WordPress secret keys via
wp config shuffle-salts - Invalidate all active sessions to force re-authentication
- Scan for webshells and backdoors in
wp-content/directory - Review access logs for evidence of prior AJAX exploitation
- Enable two-factor authentication on all administrator accounts
- Deploy a WAF (Wordfence, Cloudflare, Sucuri) with WordPress-specific rules