Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

A critical security vulnerability (CVE-2026-8732) in the WP Maps Pro WordPress plugin is being actively exploited by threat actors to create malicious administrator accounts on vulnerable sites. The flaw, which carries a severe CVSS score of 9.8, allows unauthenticated attackers to escalate privileges and gain full control of affected WordPress installations. Security researchers at Wordfence have blocked over 2,858 attack attempts targeting this vulnerability in the past 24 hours alone, indicating widespread exploitation in the wild. Site administrators should update to version 6.1.1 immediately to prevent compromise. Security researcher David Brown discovered and responsibly disclosed the vulnerability, which affects all plugin versions prior to and including 6.1.0. The plugin, which has over 15,000 sales on Envato Market, is commonly used for creating store locators with Google Maps and OpenStreetMap integration. The core issue lies in a "temporary access" support feature that can be abused to create admin users without authentication. The vulnerability stems from the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_, making it accessible to unauthenticated users. The endpoint relies on a nonce check using the fc-call-nonce value, which is publicly exposed in the wpgmp_local JavaScript object via wp_localize_script on every frontend page. This design flaw renders the nonce protection ineffective as an access control mechanism. By invoking the wpgmp_temp_access_support handler with check_temp=false, attackers can trigger wp_insert_user() to create a new WordPress user with a hardcoded administrator role. The attack chain completes when the attacker visits the returned magic login URL, which calls wp_set_auth_cookie() to authenticate them as the newly created admin, achieving complete site takeover. The patch released on May 20, 2026, mitigates this by restricting the endpoint to authenticated administrators only. Organizations using this plugin should verify their installations are running the patched version and consider running a breach check to determine if their email addresses have been exposed in related attacks. Additionally, administrators can use a port scanner to audit their web server configurations and ensure no unauthorized backdoors have been installed. Threat intelligence suggests this vulnerability is being actively weaponized in automated attack campaigns, making timely updates critical for maintaining WordPress site security.