TL;DR
A critical vulnerability (CVE-2026-8732, CVSS 9.8) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create admin accounts and take over sites. Wordfence blocked 2,858 exploitation attempts in 24 hours, with the flaw patched in version 6.1.1.
A critical vulnerability in WP Maps Pro, a commercial WordPress plugin with more than 15,000 sales on the Envato Market, is being actively exploited by attackers to create malicious administrator accounts on vulnerable sites. The flaw, tracked as CVE-2026-8732 with a CVSS score of 9.8, allows unauthenticated users to gain full administrative control of any WordPress installation running an unpatched version of the plugin.
Wordfence, which discovered the exploitation campaign, reported blocking 2,858 attacks targeting the vulnerability in the 24 hours prior to its disclosure. The flaw affects all versions of WP Maps Pro up to and including 6.1.0 and was patched in version 6.1.1, released on 20 May 2026. Security researcher David Brown is credited with discovering and reporting the issue.
How the exploit works
WP Maps Pro includes a “temporary access” feature designed to let the plugin’s support staff log into a customer’s site during troubleshooting. The feature exposes an AJAX action called “wpgmp_temp_access_ajax” that can create a new WordPress user with administrator privileges. The security architecture behind the feature was fundamentally flawed: the action was registered with WordPress’s “wp_ajax_nopriv_” hook, meaning it could be called by unauthenticated visitors.
The only protection was a nonce check, a token meant to prevent cross-site request forgery. But the nonce was publicly embedded into every frontend page of the site via the “wpgmp_local” JavaScript object, rendering it useless as an access control mechanism. Any visitor could read the nonce from the page source and use it to invoke the function.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
An attacker who calls the endpoint with the parameter “check_temp=false” triggers the “wpgmp_temp_access_support()” function, which unconditionally creates a new WordPress user with the hardcoded role of administrator and returns a magic login URL. Visiting that URL calls “wp_set_auth_cookie()” to fully authenticate the attacker as the newly created admin. The entire chain, from unauthenticated request to full site takeover, requires no credentials, no social engineering, and no prior access.
The plugin and its reach
WP Maps Pro allows site owners to embed customisable Google Maps and OpenStreetMap views with markers, listings, and advanced location features. It is commonly used as a store locator tool for businesses that need to help users find nearby locations, view details, and get directions. The plugin is sold through the Envato Market (CodeCanyon), not through WordPress’s official plugin directory, which means updates are not distributed through the standard WordPress auto-update mechanism.
That distribution model creates a particular risk. Site owners who purchased the plugin may not receive automatic notifications about the security update, and many WordPress installations are maintained by non-technical users or agencies that do not monitor vulnerability disclosures. Unlike large-scale cybercrime infrastructure that law enforcement can target with server seizures, WordPress plugin vulnerabilities are exploited through distributed, automated scanning campaigns that are difficult to disrupt.
What site owners should do
The patch in version 6.1.1 restricts the temporary access endpoint to authenticated administrators only. Site owners running WP Maps Pro should update immediately. Those who cannot update should disable the plugin until they can apply the patch. Checking for unexpected administrator accounts in the WordPress user list is a practical first step to determine whether a site has already been compromised.
The vulnerability is a textbook example of a pattern that recurs across the WordPress ecosystem: a support or debugging feature that grants elevated privileges, protected by a security mechanism that does not actually restrict access. Vulnerability disclosure programmes and security researchers like Brown play a critical role in catching these flaws before they cause widespread damage, but the 2,858 attacks blocked in a single day demonstrate that the window between disclosure and exploitation is now measured in hours, not weeks.
