Threat actors are actively exploiting a critical security flaw affecting WP Maps Pro, a WordPress plugin with over 15,000 sales on Envato Market, to create malicious administrator accounts on susceptible sites.
WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, lists, and advanced location features into their WordPress sites. It is used as a store locator tool, making it easy for users to find nearby stores, view listing details, and get directions.
The vulnerability in question is CVE-2026-8732 (CVSS score: 9.8), a privilege escalation bug that allows an unauthenticated attacker to create a WordPress user with administrative privileges and effectively take control of the site.
This drawback affects all versions of the plugin prior to 6.1.0. This issue was resolved in version 6.1.1. Security researcher David Brown is credited with discovering and reporting this flaw.
Broadly speaking, the issue is caused by a “temporary access” feature designed to allow support staff to log into a customer’s site while troubleshooting. This process allows an unauthenticated user to call the “wpgmp_temp_access_support()” function without proper checks, which ultimately allows for the creation of an admin user.
“This is because the wpgmp_temp_access_ajax AJAX action is registered in wp_ajax_nopriv_ and is only protected by a nonce check using the fc-call-nonce nonce. This nonce is passed to all frontends via wp_localize_script as the nonce field of the wpgmp_local JavaScript object. It is publicly embedded in the page and the check is disabled as an access control mechanism,” Wordfence said.
“This allows an unauthenticated attacker to call the wpgmp_temp_access_support handler with check_temp=false. This will unconditionally create a new WordPress user with a hard-coded admin role via wp_insert_user() and, once accessed, a magic login URL that calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created admin. is returned, resulting in a complete takeover of the site.”
A patch released by the plugin administrator on May 20, 2026 resolves the vulnerability by allowing only authenticated administrators to access the endpoint.
However, the security flaw has since been actively exploited, with Wordfence announcing that it has blocked 2,858 attacks targeting this issue in the past 24 hours. Therefore, it is essential for site owners to update their instances to the latest version for optimal protection.
Source link
