WordPress site owners are urged to immediately update the WP Maps Pro plugin following the discovery of a critical security vulnerability that allows unauthenticated attackers to gain administrative control over their websites. Threat actors have been observed actively attempting to exploit this flaw, known as CVE-2026-8732, to create malicious administrator accounts on vulnerable sites.
The WP Maps Pro plugin, which has seen over 15,000 sales on the Envato Market, is a popular tool for embedding customizable Google Maps and OpenStreetMap features onto WordPress sites. It commonly serves as a store locator, aiding users in finding nearby businesses, viewing details, and obtaining directions. The plugin’s extensive use makes this vulnerability a significant concern for a large number of website administrators.
Critical Flaw in WP Maps Pro Allows Website Takeover
The vulnerability, formally identified as CVE-2026-8732 with a CVSS score of 9.8, is a severe privilege escalation bug. It enables attackers without any prior authentication to create a new user account with full administrative privileges on a targeted WordPress site. This could lead to complete compromise and unauthorized control of the website’s content and functionality.
This critical security flaw affects all versions of the WP Maps Pro plugin released before and including version 6.1.0. Plugin developers have addressed the issue in version 6.1.1, which was released on May 20, 2026. Security researcher David Brown is credited with discovering and responsibly reporting the vulnerability.
Technical Details of the Privilege Escalation
The root cause of the vulnerability lies within the plugin’s “temporary access” feature, which is intended to allow support staff temporary login capabilities for troubleshooting purposes. However, the implementation of this feature, specifically the `wpgmp_temp_access_support()` function, lacked sufficient security checks. Unauthenticated users could invoke this function, bypassing necessary safeguards and ultimately creating an administrative user.
According to security firm Wordfence, the `wpgmp_temp_access_ajax` AJAX action was registered with `wp_ajax_nopriv_`, making it accessible to unauthenticated users. The only security measure was a nonce check utilizing `fc-call-nonce`, a nonce value that is publicly embedded in every frontend page through `wp_localize_script` as part of the `wpgmp_local` JavaScript object. This design rendered the nonce check ineffective as a robust access control mechanism.
The process described by Wordfence indicates that unauthenticated attackers could call the `wpgmp_temp_access_support` handler with the parameter `check_temp=false`. This command bypasses authentication and proceeds to unconditionally create a new WordPress user with the hardcoded role of administrator using the `wp_insert_user()` function. Following this, the attacker receives a special login URL. Visiting this URL triggers `wp_set_auth_cookie()`, fully authenticating the attacker as the newly created administrator and granting them complete control over the website.
Active Exploitation and Urgent Need for Updates
Since the release of version 6.1.1, which patches this critical flaw, Wordfence has reported blocking a significant number of attacks targeting the vulnerability. In the 24 hours preceding their report, over 2,858 attacks were detected and mitigated, underscoring the active threat posed by this exploit. The speed at which threat actors are attempting to leverage this weakness highlights the urgency for website administrators to secure their sites.
The plugin maintainers’ prompt release of version 6.1.1 demonstrates a commitment to user security. However, the ongoing exploitation attempts signify that many websites may not yet have been updated. This makes them prime targets for automated attacks seeking to compromise WordPress installations for various malicious purposes, including spreading malware, phishing, or distributing spam.
Next Steps for Website Security
The immediate and most crucial step for all users of the WP Maps Pro plugin is to update to version 6.1.1 or a later version as soon as possible. Website owners who are unsure about their plugin version or how to update should consult their hosting provider or website administrator. For those who do not actively use the temporary access feature, disabling or removing the WP Maps Pro plugin entirely until it can be securely updated may be considered as an additional precautionary measure, although updating is the primary solution.
Security professionals will be closely monitoring for any further exploitation attempts or variations of this attack vector. Organizations that have experienced security incidents or believe they may have been affected should conduct thorough security audits and incident response procedures. The ongoing threat landscape necessitates continuous vigilance and proactive security practices for all WordPress website administrators.