Cybersecurity experts are raising alarms about a critical flaw in the WP Maps Pro plugin for WordPress, which attackers are actively exploiting to establish unauthorized administrator accounts. This vulnerability affects more than 15,000 installations of the plugin sold through the Envato Market.
Understanding the WP Maps Pro Plugin
WP Maps Pro is a popular WordPress plugin that enables website owners to integrate customizable Google Maps and OpenStreetMap features. Its functionalities include adding markers, listings, and offering advanced location services, commonly used as store locators to help users find nearby locations and directions.
The Nature of the Security Flaw
The vulnerability identified as CVE-2026-8732, with a severity rating of 9.8, is a privilege escalation bug. This flaw permits unauthenticated attackers to create a WordPress user with full administrative rights, potentially giving them control over the affected site. All versions up to and including 6.1.0 of the plugin are susceptible, though the issue is resolved in version 6.1.1. The security researcher David Brown is credited with discovering this flaw.
At the core of the problem is the plugin’s ‘temporary access’ feature, intended for support staff to troubleshoot client websites. The lax security of this feature allows unauthenticated users to exploit the ‘wpgmp_temp_access_support()’ function, leading to unauthorized account creation.
Technical Insights and Mitigation
According to Wordfence, the vulnerability is due to the ‘wpgmp_temp_access_ajax’ action being inadequately protected, relying solely on a nonce check. Since this nonce is publicly accessible through the frontend, it fails to serve as an effective access control measure. This loophole lets attackers invoke the handler with ‘check_temp=false’, creating an administrator user through ‘wp_insert_user()’ and granting full site access via a magic login URL.
To combat this threat, a patch was released on May 20, 2026, restricting access to authenticated administrators only. Despite this fix, the flaw is being actively targeted, as evidenced by Wordfence’s recent blocking of 2,858 attack attempts within a single day.
Conclusion and Recommendations
The ongoing exploitation of this vulnerability underscores the urgency for site owners using WP Maps Pro to immediately update to the latest version. Ensuring your website’s security is paramount to prevent unauthorized access and potential site takeovers.
