A critical (CVSS 9.8) authentication bypass in the WP Maps Pro plugin lets unauthenticated attackers create administrator accounts and fully take over affected WordPress sites.
What Is It
CVE-2026-8732 is a Missing Authentication for Critical Function flaw (CWE-306) in the WP Maps Pro plugin for WordPress, affecting all versions up to and including 6.1.0. The wpgmp_temp_access_ajax AJAX action is registered with wp_ajax_nopriv_, exposing it to unauthenticated visitors. Its only access control is a nonce check using the fc-call-nonce nonce; which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object. Because the nonce is freely readable by anyone loading a page, it does not function as an access control.
By invoking the wpgmp_temp_access_support handler with check_temp=false, an attacker triggers wp_insert_user() to unconditionally create a new WordPress user with a hardcoded administrator role. The handler then returns a "magic" login URL that calls wp_set_auth_cookie(), fully authenticating the attacker as the newly minted administrator.
Why It Matters
The vulnerability is unauthenticated, network-reachable, and requires no user interaction (AV:N/AC:L/PR:N/UI:N), with high impact to confidentiality, integrity, and availability. Successful exploitation results in complete site takeover; attackers can install malicious plugins, modify content, exfiltrate data, pivot to hosting infrastructure, or use the site to deliver malware to visitors. WordPress sites running vulnerable maps functionality on public-facing pages expose the loaded nonce automatically, meaning exploitation is trivial.
What's Vulnerable
- Product: WP Maps Pro plugin for WordPress (sold as "Advanced Google Maps Plugin for WordPress" on CodeCanyon)
- Affected versions: All versions up to and including 6.1.0
- Vulnerable component:
wpgmp_temp_access_ajaxAJAX action /wpgmp_temp_access_supporthandler - Weakness: CWE-306; Missing Authentication for Critical Function
Patch Status
The supplied source material does not specify a fixed version. The NVD record (published 2026-05-29) lists status as "Deferred" and the disclosed range covers everything through 6.1.0. There is no CISA KEV entry indicating confirmed active exploitation at this time. Operators should consult the Wordfence advisory for the latest patched version and, in the interim, deactivate the plugin or restrict access to admin-ajax.php calls for the wpgmp_temp_access_ajax action.