Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites.
WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is used as a store locator tool, making it easier for users to find nearby locations, view listing details, and get directions.
The vulnerability in question is CVE-2026-8732 (CVSS score: 9.8), a privilege escalation bug that allows unauthenticated attackers to create a WordPress user with administrative permissions, effectively allowing them to take control of a site.
The shortcoming impacts all versions of the plugin prior to and including 6.1.0. It has been addressed in version 6.1.1. Security researcher David Brown has been credited with discovering and reporting the flaw.
At a high level, the problem is rooted in a “temporary access” feature that’s designed to allow support staff to log in to a customer’s site during troubleshooting. Because this process allows unauthenticated users to invoke the “wpgmp_temp_access_support()” function without adequate checks, it ultimately allows them to create an administrator user.
“This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism,” Wordfence said.
“This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.”
The patch released by the plugin maintainers on May 20, 2026, closes the vulnerability by ensuring that only authenticated administrators can access the endpoint.
That said, the security flaw has since come under active exploitation, with Wordfence stating that it has blocked 2,858 attacks targeting the issue over the past 24 hours. It’s therefore essential that site owners update their instances to the latest version for optimal protection.
