CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password

Pierluigi Paganini
June 01, 2026

CVE-2026-8732 in WP Maps Pro lets unauthenticated attackers create WordPress admin accounts. 2,858 attacks blocked in 24 hours.

WP Maps Pro plugin allows WordPress site owners to embed Google Maps and OpenStreetMap with markers, listings, and location search. It’s a store locator tool. Unremarkable. The plugin is installed on over 15,000 websites, according to sale data of Envato Market. And right now, attackers are actively exploiting a critical flaw in it that lets anyone on the internet create a full administrator account on an affected site without logging in first.

The vulnerability is tracked as CVE-2026-8732 and received a CVSS score of 9.8. The root cause is a “temporary access” feature built to let plugin support staff log into a customer’s site during troubleshooting. That feature registered an AJAX action called wpgmp_temp_access_ajax using WordPress’s wp_ajax_nopriv_ hook, which means unauthenticated users can call it. The only protection was a nonce check, but the nonce itself was embedded publicly into every frontend page of the site via wp_localize_script.

“This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.” reads the report published by WordPress security firm WordPress.

The design is almost impressive in how thoroughly it fails. A nonce is meant to prevent cross-site request forgery, not control access. Using it as an authentication gate for a publicly accessible…

Source

CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password