{"id":260949,"date":"2026-06-01T08:11:00","date_gmt":"2026-06-01T12:11:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/01\/cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password\/"},"modified":"2026-06-01T08:25:26","modified_gmt":"2026-06-01T12:25:26","slug":"cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/01\/cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password\/","title":{"rendered":"CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password"},"content":{"rendered":"

CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password<\/a><\/p>\n

https:\/\/securityaffairs.com\/192977\/hacking\/cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password.html<\/a><\/p>\n

Publish Date: 2026-06-01 08:11:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ June 01, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

CVE-2026-8732 in WP Maps Pro lets unauthenticated attackers create WordPress admin accounts. 2,858 attacks blocked in 24 hours.<\/h2>\n

WP Maps Pro plugin allows WordPress site owners to embed Google Maps and OpenStreetMap with markers, listings, and location search. It\u2019s a store locator tool. Unremarkable. The plugin is installed on over 15,000 websites, according to sale data of Envato Market. And right now, attackers are actively exploiting a critical flaw in it that lets anyone on the internet create a full administrator account on an affected site without logging in first.<\/p>\n

The vulnerability is tracked as CVE-2026-8732 and received a CVSS score of 9.8. The root cause is a \u201ctemporary access\u201d feature built to let plugin support staff log into a customer\u2019s site during troubleshooting. That feature registered an AJAX action called wpgmp_temp_access_ajax using WordPress\u2019s wp_ajax_nopriv_ hook, which means unauthenticated users can call it. The only protection was a nonce check, but the nonce itself was embedded publicly into every frontend page of the site via wp_localize_script. <\/p>\n

\u201cThis makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.\u201d reads the report published by WordPress security firm WordPress.<\/p>\n

The design is almost impressive in how thoroughly it fails. A nonce is meant to prevent cross-site request forgery, not control access. Using it as an authentication gate for a publicly accessible…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a…<\/p>\n","protected":false},"author":1,"featured_media":260950,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/06\/image-2.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[27],"class_list":["post-260949","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260949"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=260949"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260949\/revisions"}],"predecessor-version":[{"id":260951,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260949\/revisions\/260951"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/260950"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=260949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=260949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=260949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}