Full Report
Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites. WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is
Analysis Summary
# Vulnerability: Unauthenticated Privilege Escalation in WP Maps Pro
## CVE Details
- **CVE ID:** CVE-2026-8732
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-269 (Improper Privilege Management) / CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** WP Maps Pro (formerly Advanced Google Maps Plugin for WordPress)
- **Versions:** All versions prior to and including 6.1.0
- **Configurations:** WordPress sites with the plugin active; the vulnerability relies on the "temporary access" support feature.
## Vulnerability Description
The vulnerability stems from the `wpgmp_temp_access_support()` function, which is associated with a "temporary access" feature intended for support staff. This function is registered via the `wp_ajax_nopriv_wpgmp_temp_access_ajax` hook, making it accessible to unauthenticated users.
While the function attempts to use a nonce (`fc-call-nonce`) for security, this nonce is publicly available on every frontend page within the `wpgmp_local` JavaScript object. By providing this nonce and setting the `check_temp` parameter to `false`, an attacker can bypass access controls and trigger `wp_insert_user()`. This creates a new account with the hardcoded role of "administrator" and returns a magic login URL that fully authenticates the attacker via `wp_set_auth_cookie()`.
## Exploitation
- **Status:** Exploited in the wild (Significant active exploitation reported)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Total access to site data)
- **Integrity:** High (Ability to modify any site content or settings)
- **Availability:** High (Ability to delete the site or lock out legitimate owners)
## Remediation
### Patches
- **Version 6.1.1:** Released May 20, 2026. This version updates the endpoint to ensure only authenticated administrators can access the support function.
### Workarounds
- **Update Immediately:** There are no practical workarounds other than upgrading to version 6.1.1 or higher.
- **Deactivation:** If an update is not immediately possible, deactivate and delete the plugin to remove the vulnerable AJAX handler.
## Detection
- **Indicators of Compromise:** Review WordPress user logs for the unexpected creation of new administrator accounts.
- **Detection methods and tools:**
- Check for requests to `admin-ajax.php` involving the action `wpgmp_temp_access_ajax`.
- Check for unexpected JavaScript objects in the frontend HTML containing `wpgmp_local`.
## References
- **Vendor Advisory (Envato/Codecanyon):** hxxps://codecanyon[.]net/item/advanced-google-maps-plugin-for-wordpress/5211638
- **Wordfence Intelligence:** hxxps://www[.]wordfence[.]com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-map-gold/wp-maps-pro-610-unauthenticated-privilege-escalation-via-administrator-account-creation-to-wpgmp-temp-access-ajax-ajax-action
- **NVD Entry:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-8732