Security Alert Summary
The WP Maps Pro plugin for WordPress contains a privilege escalation vulnerability that can allow an unauthenticated attacker to create an administrator account and authenticate as that user. The issue is caused by an AJAX action exposed to unauthenticated requests and a nonce that is publicly embedded in frontend pages, which together allow the creation of a privileged user and immediate authentication via a generated login URL.
CVE Details
- CVE ID: CVE-2026-8732
- Affected component: WP Maps Pro plugin for WordPress
- Affected versions: All versions up to, and including, 6.1.0
- Published: May 29, 2026 at 07:16:14 AM UTC
- Last modified: May 29, 2026 at 01:09:05 PM UTC
- CVSS v3.1: Base Score 9.8, Severity CRITICAL, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Authentication / Privileges / User interaction: No authentication required; privileges required: none; user interaction: none (from CVSS data)
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- Weakness: CWE-306 (Missing Authentication for Critical Function)
Technical Details
The plugin registers an AJAX action named wpgmp_temp_access_ajax using the wp_ajax_nopriv_ hook and protects the request only with a nonce named fc-call-nonce. That nonce is embedded on frontend pages by the plugin via wp_localize_script as part of the wpgmp_local JavaScript object, which makes the nonce value publicly available. Because the nonce is exposed, the nonce check does not serve as an effective access control mechanism.
An unauthenticated caller can invoke the wpgmp_temp_access_support handler with check_temp=false. When invoked this way, the handler unconditionally creates a new WordPress user with a hardcoded role of administrator via wp_insert_user(). The handler also returns a magic login URL which, when visited, calls wp_set_auth_cookie() to authenticate the attacker as the newly created administrator account. The combined effect is that an unauthenticated remote attacker can create an administrator account and gain administrative access to the site.
This description is based on the submitted vulnerability details. It explains the specific functions and hooks involved and the resulting impact without conjecture beyond the provided information.
How This Could Impact Your Website
In a realistic scenario, a small business website runs WP Maps Pro and has multiple users: a site owner, internal staff (editors or contributors), and an external contractor who occasionally posts content. Because the vulnerability allows creation of a new administrator account without authentication, an attacker could obtain full administrative access without compromising an existing user account.
Practical consequences include:
- Unauthorized administrative access leading to modification or deletion of content and settings.
- Exposure of internal user information such as email addresses stored in WordPress user records, increasing risk of targeted phishing or social engineering against staff or contractors.
- Potential deployment of backdoors, unauthorized plugins, or malicious redirects that could affect site visitors and reputation.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially accounts with elevated privileges such as administrators.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes from your site.
- Monitor site activity and logs for unusual behavior such as unexpected user creation, login events, or new administrator accounts.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.