WP Maps Pro Bug (CVE-2026-8732) Actively Exploited to Create Admin Accounts on WordPress Sites

A critical vulnerability in the WP Maps Pro WordPress plugin is being actively exploited to create rogue administrator accounts on vulnerable sites — with Wordfence reporting more than 3,600 attack attempts in a single 24-hour period. The flaw, tracked as CVE-2026-8732 with a CVSS score of 9.8, affects all WP Maps Pro versions up to and including 6.1.0, covering more than 15,800 plugin sales on Envato Market.

What Is WP Maps Pro?

WP Maps Pro is a premium WordPress plugin for building interactive, customisable maps and store locators. It supports Google Maps, OpenStreetMap, and other map providers, and is primarily used by businesses, real estate websites, travel sites, and organisations that need to display multiple locations on a map. The plugin had over 15,800 sales on Envato Market at the time of disclosure.

How the Vulnerability Works

The flaw originates in a “temporary access” feature built into WP Maps Pro, designed to allow the plugin’s vendor support staff to access a customer’s WordPress installation for troubleshooting purposes. The implementation had two critical security flaws:

1. The AJAX endpoint was unauthenticated: The plugin registered the support access function using WordPress’s wp_ajax_nopriv_ hook, making it accessible to any unauthenticated visitor — not just authenticated administrators or vendor staff.
2. The nonce was publicly exposed: The only protection on the endpoint was a nonce check using fc-call-nonce, but this nonce was embedded in publicly visible frontend JavaScript — making it trivially available to any attacker who loaded any page on the affected site.

With both protections effectively bypassed, an attacker could invoke the wpgmp_temp_access_support handler with the parameter check_temp=false. This parameter causes the handler to unconditionally create a new WordPress user with a hardcoded administrator role via wp_insert_user(). The handler then returns a magic login URL which, when visited, calls wp_set_auth_cookie() — fully authenticating the attacker as the newly created admin. From that point, the attacker has complete control of the WordPress installation.

Attack Flow Summary

1. Attacker loads any page on the target site to obtain the publicly exposed nonce
2. Attacker sends a crafted AJAX request to the plugin’s support endpoint
3. Plugin creates a new WordPress administrator account with no authorisation checks
4. Plugin returns a magic login URL
5. Attacker visits the URL and is immediately authenticated as an administrator
6. Full site takeover achieved — no credentials, no brute force, no social engineering required

Discovery and Timeline

• March 24, 2026: Security researcher David Brown submitted the vulnerability to the Wordfence Bug Bounty Program, earning a $1,950 bounty
• May 16, 2026: Vendor confirmed and validated the vulnerability
• May 20, 2026: WP Maps Pro 6.1.1 released with a fix — the endpoint now requires authenticated administrator access
• Late May 2026: Active exploitation begins, with Wordfence blocking thousands of attempts

What the Fix Does

WP Maps Pro 6.1.1 patches the vulnerability by changing the AJAX hook registration from wp_ajax_nopriv_ (accessible by anyone) to wp_ajax_ (accessible only by authenticated users), and adding an additional check to ensure the calling user has administrator capabilities before allowing the endpoint to execute. This means only logged-in administrators can access the temporary support feature — which is its intended design.

Immediate Actions for WordPress Site Owners

If your WordPress site runs WP Maps Pro:

1. Update immediately: Install WP Maps Pro 6.1.1 or later from your plugin source
2. Audit admin accounts: Go to WordPress Admin → Users and sort by Role → Administrator. Remove any administrator accounts you do not recognise — especially recent accounts with generic names
3. Review activity logs: If you use an activity log plugin, check for user creation events and login events from unfamiliar IP addresses in the past few weeks
4. Change admin passwords: If you find evidence of compromise, rotate all administrator account passwords, revoke all logged-in sessions, and check for any backdoors (malicious files, unauthorised plugins, or modified theme files)
5. Enable Wordfence or equivalent: A web application firewall will block ongoing exploitation attempts even on patched sites

Broader WordPress Security Lesson

CVE-2026-8732 exemplifies a recurring pattern in WordPress plugin security failures: privileged functions registered with unauthenticated hooks. The wp_ajax_nopriv_ hook is designed for actions that legitimately need to work for logged-out visitors — such as fetching map data for display on a public page. Using it for administrative functions like account creation or site access is a fundamental misuse of the hook. WordPress plugin developers should audit all nopriv hooks in their codebase to ensure no privileged operations are accessible to unauthenticated users.