Critical Unauthenticated Admin Account Creation Flaw in WP Maps Pro Plugin Affects 15,000 Sites
A critical vulnerability in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create administrator accounts, leading to complete site takeover.

A critical vulnerability in the WP Maps Pro WordPress plugin, tracked as CVE-2026-8732 with a CVSS score of 9.8, allows unauthenticated attackers to create new administrator accounts on affected sites, leading to complete site takeover. The flaw affects over 15,000 sites running versions up to and including 6.1.0. The vulnerability was discovered and responsibly disclosed by researcher David Brown through the Wordfence Bug Bounty Program, earning a $1,950 bounty.
The vulnerability resides in the wpgmp_temp_access_ajax AJAX action, which is registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce. However, this nonce is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. Additionally, there is no capability check in the vulnerable version, making it possible for unauthenticated attackers to invoke the AJAX action.
When an attacker sends a request with the check_temp parameter set to false, the wpgmp_temp_access_support() function creates a new WordPress user via wp_insert_user() with a hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com. The function then generates a "magic login URL" using generate_login_link(), stores it as user meta, and returns it in the response body. When the attacker visits the returned URL, the plugin calls wp_set_auth_cookie() to fully authenticate the visitor as the newly created administrator, without requiring a password or any further verification.
This vulnerability allows an attacker to gain full administrator-level control over the affected site, enabling them to install malicious plugins, modify content, steal data, or use the site for further attacks. The impact is severe, as over 15,000 sites are potentially at risk. The plugin is sold on CodeCanyon and is used by site owners to embed customizable Google Maps with markers, categories, and advanced location features.
A patch was released in version 6.1.1 of WP Maps Pro. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against exploits targeting this vulnerability on May 18, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on June 17, 2026. Users are strongly urged to update their sites to the latest patched version as soon as possible.
This vulnerability highlights the ongoing risk posed by plugins that implement insecure "temporary access" features. The use of hardcoded nonces and lack of capability checks are common pitfalls that can lead to critical privilege escalation. Site administrators should regularly audit their plugins for such flaws and apply patches promptly to mitigate the risk of compromise.
New reporting from BleepingComputer and Defiant (Wordfence) indicates the vulnerability, CVE-2026-8732 (CVSS 9.8), is being actively exploited in the wild, with over 3,600 exploit attempts blocked in the past 24 hours alone. The attack leverages a publicly exposed nonce check in the plugin's "temporary access" AJAX endpoint to create a new administrator user with the email support@flippercode.com and a magic login URL, enabling full site takeover without authentication. The vendor released WP Maps Pro 6.1.1 on May 20 following disclosure by David Brown, but users who have not yet patched remain at immediate risk.
Wordfence reports that the flaw is now under active exploitation, having blocked 2,858 attacks targeting CVE-2026-8732 in the past 24 hours. The vulnerability allows unauthenticated attackers to create administrator accounts via a temporary access feature protected only by a publicly exposed nonce. Users are urged to update to version 6.1.1 immediately.
Wordfence reports that the flaw is now under active exploitation, having blocked 2,858 attacks targeting CVE-2026-8732 in the past 24 hours. The vulnerability, which carries a CVSS score of 9.8, allows unauthenticated attackers to create administrator accounts via a temporary access feature that lacks proper access controls. Users are urged to update to version 6.1.1 immediately.
This new report from Defiant provides crucial technical details on the exploitation of CVE-2026-8732 in the WP Maps Pro plugin. It explains how threat actors leverage an ineffective nonce check within a callback AJAX function, combined with a lack of capability checks, to create unauthorized administrator accounts. The article also highlights that Defiant has blocked over 1,700 attacks targeting this vulnerability in the past 24 hours, underscoring the active exploitation.
The vulnerability, tracked as CVE-2026-8732, carries a CVSS score of 9.8 and impacts WP Maps Pro versions up to 6.1.0. The flaw was discovered by security researcher David Brown and reported through the Wordfence Bug Bounty Program, where it earned a $1,950 reward. The vendor has since released version 6.1.1 to address the issue, and users are strongly urged to update immediately to prevent unauthorized administrator account creation and subsequent website takeover.