The critical vulnerability CVE-2026-8732 (CVSS 9.8) in the WordPress plugin WP Maps Pro is being actively exploited by attackers to create administrator accounts on vulnerable sites. The plugin, intended for embedding interactive Google Maps and OpenStreetMap maps, has been sold more than 15,000 times via Envato Market. The vulnerability affects all versions up to and including 6.1.0 and is fixed in version 6.1.1. According to Wordfence, 2,858 attacks targeting this vulnerability have been blocked over the past 24 hours—site owners using this plugin need to update immediately.
Technical details of the vulnerability
The root cause is the “temporary access” feature, designed to allow technical support staff to log in to a customer’s site while troubleshooting issues. As Wordfence researchers report, the implementation of this feature contains a critical architectural flaw: the AJAX handler wpgmp_temp_access_ajax is registered with the wp_ajax_nopriv_ hook, which makes it accessible to unauthenticated users.
The only protection mechanism is validation of the nonce token fc-call-nonce, however this token is publicly embedded into every frontend page via wp_localize_script as a field of the wpgmp_local object. As a result, the nonce check does not provide access control—any site visitor can extract the token from the page’s source code.
The exploitation chain looks as follows:
- The attacker obtains the nonce token from the public JavaScript object on any page of the site
- They send an AJAX request to the
wpgmp_temp_access_supporthandler with the parametercheck_temp=false - The function unconditionally creates a new WordPress user with the hardcoded administrator role via
wp_insert_user() - The server returns a “magic” login link which, when followed, calls
wp_set_auth_cookie(), fully authenticating the attacker as an administrator
The result is complete site compromise without the need to know any credentials. The CVSS 9.8 score reflects the severity: remote attack vector, no authentication requirements, low exploitation complexity.
Scope of the threat and active exploitation
According to Wordfence telemetry, the vulnerability is already under active exploitation. In 24 hours the company recorded and blocked 2,858 attacks targeting this vulnerability. It should be borne in mind that these figures reflect only traffic passing through Wordfence infrastructure—the real number of exploitation attempts may be significantly higher.
WP Maps Pro is a commercial plugin distributed via Envato Market (CodeCanyon), not via the official WordPress.org repository. This creates an additional risk factor: commercial plugins from Envato do not support automatic updates through the standard WordPress mechanism, which means many site owners may be unaware that a patch is available and will not receive an update notification.
The plugin is used primarily as a store and location finder, which makes it typical for sites of retail chains, service companies, and organizations with physical points of presence.
Impact assessment
Successful exploitation of CVE-2026-8732 grants the attacker full administrative rights on the WordPress site. This opens the door to:
- Injecting malicious code and redirects to phishing resources
- Stealing data from the WordPress database, including users’ and customers’ personal information
- Using the compromised site as a foothold for further attacks
- Placing web shells to maintain persistent access even after the plugin is updated
- Complete destruction or replacement of site content
What makes the situation especially dangerous is that the exploitation method is trivial and does not require specialized tools—one standard HTTP request with a nonce token available on any page of the site is sufficient.
Response recommendations
Immediate update: install WP Maps Pro version 6.1.1 or higher. The patch released on May 20, 2026 restricts access to the vulnerable endpoint to authenticated administrators only.
Compromise assessment: if the update was not applied promptly, you must check the list of WordPress users for unknown accounts with the administrator role. Pay particular attention to accounts created after the public disclosure of the vulnerability.
Additional measures for already compromised sites:
- Delete all unknown administrator accounts
- Check the file system for web shells and modified WordPress core files
- Change the passwords of all existing administrators and update the secret keys in
wp-config.php - Check for scheduled tasks (WP-Cron) and unknown plugins that may have been installed by the attacker
- Consider restoring from a backup created before the start of exploitation
Given the active exploitation and critical CVSS 9.8 rating, updating WP Maps Pro to version 6.1.1 should be treated as a top priority—to be completed within hours, not days. Site owners who purchased the plugin via Envato Market must manually download and install the updated version, since automatic delivery of updates for such plugins is generally not provided. If an immediate update is not possible, temporarily deactivating the plugin until the patch is installed can serve as a stopgap measure.
