A critical security vulnerability in the WP Maps Pro WordPress plugin has been actively exploited by attackers to create unauthorized administrator accounts on affected websites. This flaw, identified as CVE-2026-8732 with a CVSS score of 9.8, impacts all versions up to and including 6.1.0. WP Maps Pro, a premium plugin with over 15,000 sales on the Envato Market, enables site owners to embed customizable Google Maps and OpenStreetMap features into their WordPress sites.
The vulnerability originates from a temporary access feature intended for vendor support, which allows support staff to log in to customer sites for troubleshooting. Due to inadequate authentication checks, unauthenticated attackers can exploit this feature to invoke the `wpgmp_temp_access_support()` function, leading to the creation of new administrator accounts. This is facilitated by the `wpgmp_temp_access_ajax` AJAX action being registered with `wp_ajax_nopriv_` and protected only by a nonce check using the `fc-call-nonce` nonce. This nonce is publicly embedded into every frontend page via `wp_localize_script` as the nonce field of the `wpgmp_local` JavaScript object, rendering the check ineffective as an access control mechanism. Consequently, attackers can invoke the `wpgmp_temp_access_support` handler with `check_temp=false`, which unconditionally creates a new WordPress user with the hardcoded role of administrator via `wp_insert_user()` and returns a magic login URL. When visited, this URL calls `wp_set_auth_cookie()` to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
Security researcher David Brown discovered and reported this flaw, leading to the release of version 6.1.1 on May 20, 2026, which addresses the issue by ensuring that only authenticated administrators can access the endpoint. Despite the availability of this patch, the vulnerability has been actively exploited. Wordfence reported blocking 2,858 attacks targeting this issue over a 24-hour period. Given the severity and active exploitation of this vulnerability, it is imperative for site owners using WP Maps Pro to update their installations to version 6.1.1 immediately to protect their websites from potential compromise.
In summary, the critical flaw in WP Maps Pro poses a significant risk to WordPress sites utilizing the plugin. The vulnerability allows unauthenticated attackers to create administrator accounts, leading to potential full site takeovers. The issue has been addressed in version 6.1.1, and site owners are strongly advised to update their installations without delay to mitigate the risk of exploitation.
