top of page

CVE-2026-8732: WP Maps Pro Vulnerability Allows Unauthorized WordPress Admin Account Creation Without Password

  • Jun 1
  • 3 min read

Key Findings


  • CVE-2026-8732 in WP Maps Pro allows unauthenticated attackers to create WordPress administrator accounts remotely

  • CVSS score of 9.8 indicates critical severity

  • Over 2,858 attacks blocked in 24 hours, indicating active mass exploitation

  • Affects all versions through 6.1.0; patched in version 6.1.1 released May 20, 2026

  • Plugin installed on 15,000+ WordPress sites according to Envato Market sales data

  • Exploitation began before most site owners had time to patch after disclosure

  • Successful exploitation results in complete site takeover


Background


WP Maps Pro is a WordPress plugin used to embed customizable Google Maps and OpenStreetMap with markers, listings, and location search features on websites. It functions primarily as a store locator tool, allowing site owners to display nearby locations and get directions. The plugin has achieved significant adoption across the WordPress ecosystem with over 15,000 sales recorded on Envato Market. Given its widespread use, the vulnerability in this plugin creates substantial risk across many websites.


The Vulnerable Feature


The root cause stems from a "temporary access" support feature designed to allow plugin support staff to troubleshoot customer sites. The feature registers an AJAX action called wpgmp_temp_access_ajax using WordPress's wp_ajax_nopriv_ hook, which permits unauthenticated users to call it. The developers relied solely on a nonce check for protection, but critically, they embedded that nonce publicly into every frontend page via wp_localize_script.


How the Attack Works


The flaw operates through a straightforward process. An attacker invokes the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with administrator privileges using wp_insert_user(). The function then returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator. This grants complete site takeover capability.


The Design Failure


Using a nonce as an access control mechanism for a publicly accessible endpoint is fundamentally flawed. A nonce is designed to prevent cross-site request forgery, not to control access. Making the nonce publicly available in page source code renders it completely ineffective as security. The design flaw is almost stunning in its thoroughness, essentially locking a door with a key taped to the outside.


Active Exploitation


Exploitation began rapidly following disclosure, before most site owners could patch their installations. Wordfence confirmed the active exploitation and reported blocking 2,858 attacks in a 24-hour period. The speed from discovery to mass exploitation reflects how quickly working proofs-of-concept circulate once a WordPress plugin vulnerability becomes public.


The Patch and Recommendations


Plugin maintainers released version 6.1.1 on May 20, 2026, which addresses the issue by requiring the requesting user to already be an authenticated administrator before allowing access to the endpoint. Site owners must update immediately. All versions through 6.1.0 remain vulnerable. If immediate updating is impossible, site owners should deactivate the plugin entirely until they can upgrade.


Impact of Successful Attack


An attacker with administrator access to a WordPress site has unrestricted control. They can install backdoors for persistent access, redirect traffic to malicious sites, inject malware into pages served to visitors, exfiltrate sensitive data, or compromise user information. The cleanup required after a full site takeover is far more costly than the thirty seconds needed to apply the update.


Researcher Credit


Security researcher David Brown discovered and reported the vulnerability through the Wordfence Bug Bounty Program and received a bounty of $1,950.00 for the submission.


Sources


  • https://securityaffairs.com/192977/hacking/cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password.html

  • https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html

  • https://www.bleepingcomputer.com/news/security/wp-maps-pro-bug-exploited-to-create-admin-accounts-on-wordpress-sites

  • https://www.abijita.com/critical-wordpress-plugin-flaw-lets-hackers-create-admin-accounts

  • https://techjacksolutions.com/scc-intel/cve-2026-8732-unauthenticated-admin-creation-in-wp-maps-pro-under-active-exploitation

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page