Critical Unauthenticated Admin Account Creation Flaw in WP Maps Pro Plugin Affects 15,000 Sites
A critical vulnerability in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create administrator accounts, leading to complete site takeover.
A critical vulnerability in the WP Maps Pro WordPress plugin, tracked as CVE-2026-8732 with a CVSS score of 9.8, allows unauthenticated attackers to create new administrator accounts on affected sites, leading to complete site takeover. The flaw affects over 15,000 sites running versions up to and including 6.1.0. The vulnerability was discovered and responsibly disclosed by researcher David Brown through the Wordfence Bug Bounty Program, earning a $1,950 bounty.
The vulnerability resides in the `wpgmp_temp_access_ajax` AJAX action, which is registered with `wp_ajax_nopriv_` and protected only by a nonce check using the `fc-call-nonce` nonce. However, this nonce is publicly embedded into every frontend page via `wp_localize_script` as the nonce field of the `wpgmp_local` JavaScript object, rendering the check ineffective as an access control mechanism. Additionally, there is no capability check in the vulnerable version, making it possible for unauthenticated attackers to invoke the AJAX action.
When an attacker sends a request with the `check_temp` parameter set to `false`, the `wpgmp_temp_access_support()` function creates a new WordPress user via `wp_insert_user()` with a hardcoded role of administrator, a randomly generated username, and the hardcoded email address `support@flippercode.com`. The function then generates a "magic login URL" using `generate_login_link()`, stores it as user meta, and returns it in the response body. When the attacker visits the returned URL, the plugin calls `wp_set_auth_cookie()` to fully authenticate the visitor as the newly created administrator, without requiring a password or any further verification.
This vulnerability allows an attacker to gain full administrator-level control over the affected site, enabling them to install malicious plugins, modify content, steal data, or use the site for further attacks. The impact is severe, as over 15,000 sites are potentially at risk. The plugin is sold on CodeCanyon and is used by site owners to embed customizable Google Maps with markers, categories, and advanced location features.
A patch was released in version 6.1.1 of WP Maps Pro. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against exploits targeting this vulnerability on May 18, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on June 17, 2026. Users are strongly urged to update their sites to the latest patched version as soon as possible.
This vulnerability highlights the ongoing risk posed by plugins that implement insecure "temporary access" features. The use of hardcoded nonces and lack of capability checks are common pitfalls that can lead to critical privilege escalation. Site administrators should regularly audit their plugins for such flaws and apply patches promptly to mitigate the risk of compromise.