A critical-severity vulnerability discovered in WP Maps Pro, a premium WordPress plugin with over 15,000 sales on Envato’s CodeCanyon marketplace, allows unauthenticated attackers to silently create administrator accounts and seize full control of affected websites.
Tracked as CVE-2026-8732 with a maximum-risk CVSS score of 9.8 (Critical), this flaw represents one of the most dangerous classes of WordPress vulnerabilities, unauthenticated privilege escalation, and demands immediate action from site owners.
WP Maps Pro (plugin slug: wp-google-map-gold) is a widely used WordPress plugin that enables site owners to embed customizable Google Maps with advanced markers, location categories, and geolocation features.
Behind the scenes, the plugin includes a “temporary access” feature that allows vendor support staff to log in to a customer’s site during troubleshooting sessions.
This support mechanism, however, was implemented without proper access controls, creating a catastrophic security gap that any unauthenticated attacker on the internet could exploit.
Security researcher David Brown discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program on March 24, 2026, earning a $1,950.00 bounty for the disclosure.
The vulnerability resides in the wpgmp_temp_access_ajax_callback() function, registered via wp_ajax_nopriv_ meaning it’s accessible to non-logged-in users.
The function applies a nonce check using the fc-call-nonce nonce value, which sounds protective in theory. The critical problem: this nonce is publicly embedded into every frontend page via wp_localize_script as part of the wpgmp_local JavaScript object, making it trivially obtainable by any anonymous visitor.
Once an attacker extracts the nonce from any public-facing page, they send a crafted POST request to the AJAX endpoint with the parameter check_temp=false. This triggers the wpgmp_temp_access_support() function inside the WPGMP_Temp_Access class, which unconditionally:
- Creates a new WordPress user via
wp_insert_user()with the hard-coded role of administrator - Assigns a randomly generated username prefixed with
fc_user_ - Uses the hardcoded email address
support@flippercode.com - Generates a magic login URL via
generate_login_link()and returns it in the HTTP response body
When the attacker visits the returned magic URL, the plugin calls wp_set_auth_cookie() to fully authenticate the session no password, no verification, no challenge. The attacker is now an administrator on the compromised site.
From that point, threat actors can install malicious plugins, inject PHP backdoors, modify themes, exfiltrate sensitive user data, deploy persistent webshells, or pivot into connected infrastructure. This is a textbook, complete site-takeover scenario.
The vendor released version 6.1.1 on May 20, 2026, addressing the flaw with a single but decisive fix. The patched wpgmp_temp_access_ajax_callback() function now includes a current_user_can('manage_options') capability check at the very top of the function.
If the request does not come from an authenticated administrator, the endpoint returns a 403 Unauthorized error and halts execution before any nonce validation or user creation logic runs.
This correctly restricts the temporary access endpoint to legitimate administrators only, eliminating the unauthenticated attack vector.
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-8732 |
| CVSS Score | 9.8 (Critical) |
| Affected Versions | WP Maps Pro ≤ 6.1.0 |
| Patched Version | 6.1.1 |
| Attack Vector | Unauthenticated, Remote |
| Impact | Full Administrator Account Creation / Site Takeover |
| Researcher | David Brown (Wordfence Bug Bounty) |
| Bounty Awarded | $1,950.00 |
| Wordfence Premium Protection | May 18, 2026 |
| Wordfence Free Protection | June 17, 2026 |
- March 24, 2026 — Vulnerability submitted via Wordfence Bug Bounty Program
- May 16, 2026 — Report validated; escalated to the Envato security team due to no direct vendor contact
- May 18, 2026 — Wordfence Premium, Care, and Response users received firewall rule protection
- May 20, 2026 — Vendor released patched version 6.1.1
- June 17, 2026 — Wordfence Free users receive firewall rule protection
Mitigation
- Update immediately — Upgrade WP Maps Pro to version 6.1.1 or later from your WordPress dashboard or CodeCanyon
- Audit administrator accounts — Check your WordPress Users panel for any unfamiliar accounts with usernames matching the pattern
fc_user_*or using the emailsupport@flippercode.com, which indicates prior exploitation - Deploy a WAF — Wordfence Premium users are already protected; free users should prioritize upgrading or updating before June 17, 2026
- Review access logs — Search server logs for POST requests to
wp-admin/admin-ajax.phpwithaction=wpgmp_temp_access_ajaxas an indicator of exploitation attempts - Enable login notifications — Configure alerts for new administrator account creations as a detection control
FAQ
Q1: What is CVE-2026-8732?
CVE-2026-8732 is a critical (CVSS 9.8) unauthenticated privilege-escalation vulnerability in WP Maps Pro ≤ 6.1.0 that allows any anonymous attacker to create a WordPress administrator account and take full control of the affected website.
Q2: Which versions of WP Maps Pro are affected by this vulnerability?
All versions of WP Maps Pro up to and including version 6.1.0 are vulnerable; the issue is fully patched in version 6.1.1, released on May 20, 2026.
Q3: How can I tell if this exploit has already compromised my site?
Check your WordPress user list for accounts with usernames starting with fc_user_ or the email address support@flippercode.com, as these are hardcoded identifiers created during exploitation.
Q4: Does Wordfence Free protect against CVE-2026-8732 right now?
Wordfence Free users will receive the protective firewall rule on June 17, 2026, so immediate manual patching to version 6.1.1 is the only protection available for free-tier users before that date.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
