CVE-2026-8732

Name of the Vulnerable Software and Affected Versions WP Maps Pro versions prior to 6.1.1

Description The WP Maps Pro plugin for WordPress is subject to privilege escalation allowing unauthenticated attackers to create administrator accounts. This occurs because the AJAX action 'wpgmp temp access ajax' is registered with wp ajax nopriv and relies on a nonce check using fc-call-nonce, which is publicly embedded in frontend pages via wp localize script within the wpgmp local JavaScript object, making the check ineffective. Attackers can invoke the wpgmp temp access support() handler by passing the variable check temp set to false, which triggers wp insert user() to create a new administrator user. The system then returns a magic login URL that uses wp set auth cookie() to authenticate the attacker, leading to full site takeover. Approximately 15,000 sites are estimated to be affected, and the issue has been actively exploited in the wild.

Recommendations Update to version 6.1.1 or later. As a temporary workaround, disable the plugin until the update is applied. Audit the administrator user list and remove any unauthorized accounts. Review recent site changes, including new plugins, modified theme files, injected scripts, and redirect rules. Search logs for POST requests to 'wp-admin/admin-ajax.php' with the action wpgmp temp access support to identify exploitation.