A critical privilege escalation vulnerability in the WP Maps Pro WordPress plugin, tracked as CVE-2026-8732, allows unauthenticated attackers to create rogue administrator accounts on affected WordPress sites with a single HTTP request. The vulnerability carries a CVSS score of 9.8 and affects a commercial plugin with over 15,800 sales through Envato Market. Active exploitation is now confirmed — attackers are targeting vulnerable sites to create admin accounts with passwordless login URLs that are exfiltrated to remote attacker-controlled systems, enabling instant full site takeover.

What Is the Vulnerability?

CVE-2026-8732 is a missing authentication vulnerability in WP Maps Pro’s “temporary access” feature. This feature was originally designed to allow the plugin vendor’s support staff to gain temporary access to customer sites for troubleshooting purposes. It is implemented via the wpgmp_temp_access_ajax AJAX action, which was registered with wp_ajax_nopriv_ — making it accessible to unauthenticated users — and protected only by a nonce check.

The nonce value used for this check is publicly embedded in every frontend page of any site running the plugin, delivered via wp_localize_script in the page source. An attacker who extracts this nonce from the HTML source of any page on the target site can send a single crafted AJAX request that triggers the full attack chain: (1) a new WordPress user is created and assigned the administrator role, (2) a passwordless login URL is generated for that account, and (3) the URL is sent to a remote system controlled by the attacker. When the attacker visits the URL, they are automatically authenticated as the newly created administrator — no password, no MFA, no additional interaction required.

The vulnerability was discovered and reported by security researcher David Brown. It is classified under CWE-306 (Missing Authentication for Critical Function):

• CVSS v3.1 Score: 9.8 (Critical)
• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)
• Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)

Which Versions Are Affected?

The vulnerability affects all versions of WP Maps Pro up to and including version 6.1.0:

• WP Maps Pro — Google Maps and OpenStreetMap plugin for WordPress: all versions up to 6.1.0

WP Maps Pro is a commercial (paid) plugin sold through Envato Market / CodeCanyon with over 15,800 sales. It is typically used by businesses, real estate websites, travel sites, directories, and organisations that need to display multiple locations on interactive maps. Because it is distributed through a commercial marketplace rather than the WordPress.org plugin repository, site owners may not receive automatic update notifications and may be unaware that a patch is available — this is a significant factor in the exploitation risk.

Is It Being Exploited in the Wild?

Yes — active exploitation is now confirmed. Attackers are actively targeting WordPress sites running vulnerable versions of WP Maps Pro to create rogue administrator accounts. The attack requires only a single unauthenticated HTTP request: the attacker extracts the publicly visible nonce from the target site’s frontend page source, sends a crafted AJAX request to the wpgmp_temp_access_ajax endpoint, and receives a passwordless admin login URL delivered to their remote system. No credentials, no authentication, and no user interaction are needed.

The vulnerability was published on May 29, 2026, and exploitation was confirmed within days. The attack pattern — unauthenticated admin account creation with automatic credential exfiltration — is among the most dangerous vulnerability types for WordPress sites. With over 15,800 installations and a commercial distribution model that slows patch propagation compared to free WordPress.org-hosted plugins, a significant portion of the install base is likely still vulnerable and being actively scanned by attackers. The nonce-based “protection” is trivially bypassed because the nonce value is delivered to every page visitor in the HTML source — it provides no meaningful security barrier.

What Is the Fix?

The WP Maps Pro developer has released a patched version that addresses CVE-2026-8732. The fix removes or properly secures the temporary access functionality that exposed the vulnerable AJAX endpoint. The updated version is available through the plugin’s Envato Market / CodeCanyon distribution channel:

https://codecanyon.net/item/advanced-google-maps-plugin-for-wordpress/5211638

Site administrators should update immediately:

• Log in to your Envato Market / CodeCanyon account and download the latest version of WP Maps Pro
• Upload and activate the updated plugin via the WordPress admin dashboard (Plugins > Add New > Upload Plugin)
• Alternatively, if you have the Envato Market plugin installed, update through Dashboard > Updates
• If you cannot update immediately, disable the plugin entirely until the patch can be applied — an inactive plugin cannot be exploited

Recommendations

Update or disable WP Maps Pro immediately. This is not a theoretical risk — active exploitation is confirmed, and the attack is trivially executable with no authentication or user interaction required. The combination of CVSS 9.8, confirmed in-the-wild exploitation, and a commercial distribution model that delays update propagation makes this one of the most dangerous WordPress plugin vulnerabilities currently active.

Audit your WordPress user list for rogue admin accounts. After updating, immediately check Users > All Users for any unrecognised administrator accounts — particularly recently created accounts with unusual usernames, throwaway email addresses, or no associated posts. If a rogue admin account is found, do not simply delete it — treat the site as fully compromised:

• Delete the rogue admin account
• Rotate all WordPress user passwords and application passwords
• Review all installed themes and plugins for backdoors (unexpected files, modified core files, obfuscated code)
• Check for unauthorised content modifications, injected scripts, or redirect rules
• Review web server access logs for unusual AJAX requests to WordPress admin-ajax.php endpoints
• Audit the WordPress database for unexpected entries in the wp_users and wp_usermeta tables

Check whether your site is detectable as a WP Maps Pro user. The plugin loads identifiable JavaScript and CSS assets on frontend pages. Automated scanners can fingerprint sites running WP Maps Pro by enumerating these assets. If your site needs to remain on a vulnerable version temporarily, consider restricting access to these assets or placing the site behind a Web Application Firewall.

Review your plugin update strategy for commercial plugins. Unlike free plugins hosted on WordPress.org, commercial plugins do not push update notifications through the standard WordPress update mechanism unless you have installed the vendor’s update connector (such as the Envato Market plugin). Ensure you have a process for monitoring and applying updates to all commercial plugins in your WordPress estate — not just those that auto-notify.

Monitor Envato Market / CodeCanyon for update notifications from all commercial plugins in use. Set calendar reminders to check for updates if automatic notifications are not configured. For high-risk plugins with large install bases, consider subscribing to security mailing lists or CVE notification services that cover WordPress plugin vulnerabilities.

References

• NVD: CVE-2026-8732
• WP Maps Pro — Envato Market / CodeCanyon
• BleepingComputer: WP Maps Pro Exploitation
• Vulnerability Intelligence Report — June 1, 2026
• Vulnerability Intelligence Report — May 30, 2026 (initial coverage)

---

This advisory was first covered in the Vulnerability Intelligence Report — May 30, 2026 and updated with exploitation confirmation in the June 1, 2026 report. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the latest full report.