Critical WP Maps Pro Vulnerability Allows Admin Account Creation

A critical security vulnerability in the popular WP Maps Pro WordPress plugin could allow attackers to gain full control of affected websites by creating unauthorized administrator accounts.

The flaw, tracked as CVE-2026-8732 with a CVSS score of 9.8, impacts all plugin versions up to 6.1.0 and has raised serious concerns across the WordPress ecosystem.

WP Maps Pro Vulnerability

The vulnerability was discovered by security researcher David Brown and reported through the Wordfence Bug Bounty Program, earning a $1,950 reward.

WP Maps Pro, which has recorded more than 15,000 sales on CodeCanyon, is widely used to embed customizable Google Maps with advanced location features.

At the core of the issue is an unauthenticated privilege escalation flaw within the plugin’s AJAX functionality. Specifically, the vulnerable endpoint is exposed through the wpgmp_temp_access_ajax action, which is incorrectly registered to allow unauthenticated access.

Although the function includes a nonce check, the nonce is publicly accessible within the frontend JavaScript, rendering the protection ineffective.

Attackers can exploit this weakness by sending a crafted request with a parameter that triggers the plugin’s temporary access feature.

This feature was originally designed to grant support staff temporary login access but lacks proper authorization checks. As a result, the plugin automatically creates a new user with administrator privileges using built-in WordPress functions.

Once the account is created, the plugin generates a “magic login URL” that allows passwordless authentication. Visiting this URL logs the attacker in as an administrator via a session cookie, granting them unrestricted control over the website.

This includes the ability to install malicious plugins, inject backdoors, manipulate site content, or exfiltrate sensitive data.

The vendor has addressed the vulnerability in version 6.1.1 by implementing a proper capability check using current_user_can(‘manage_options’), ensuring that only authenticated administrators can access the sensitive functionality.

Wordfence acted swiftly to protect users by deploying a firewall rule on May 18, 2026, for its premium, care, and response customers.

Users of the free version are scheduled to receive the same protection on June 17, 2026. Due to the lack of direct vendor contact, the vulnerability disclosure was coordinated through Envato’s security team.

Security experts strongly urge all WP Maps Pro users to update to version 6.1.1 immediately. Websites running outdated versions remain highly vulnerable to exploitation, with attackers requiring no authentication to compromise entire systems.

This incident highlights the ongoing risks posed by improperly secured AJAX endpoints. It underscores the importance of implementing strict access controls in plugin development.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.