AI description
CVE-2026-8732 is a privilege escalation vulnerability found in the WP Maps Pro plugin for WordPress, affecting all versions up to and including 6.1.0. The flaw stems from the `wpgmp_temp_access_ajax` AJAX action, which was registered to be accessible by unauthenticated users (`wp_ajax_nopriv_`). Although a nonce check was in place, the required nonce (`fc-call-nonce`) was publicly embedded into every frontend page of the website via `wp_localize_script`, making it easily retrievable by an attacker. This design oversight allows unauthenticated attackers to extract the publicly available nonce and then invoke the `wpgmp_temp_access_support` handler with a specific parameter (`check_temp=false`). This action unconditionally creates a new WordPress user with administrator privileges and provides a "magic login URL." By visiting this URL, the attacker is fully authenticated as the newly created administrator, enabling a complete takeover of the affected WordPress site. The vulnerability was discovered by security researcher David Brown and has been addressed in version 6.1.1 of the plugin.
- Description
- The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
- Source
- security@wordfence.com
- NVD status
- Deferred
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@wordfence.com
- CWE-306
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
2
👾 CVE-2026-8732: WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action Critical Vulnerability Alert! WordPress Maps Pro Plugin is affected by CVE-2026-8732. #cybersecurity #bugbounty #Vulnerabi
@TodayCyberNews
12 Jul 2026
715 Impressions
0 Retweets
3 Likes
1 Bookmark
1 Reply
0 Quotes
08:50 UTC: CVE-2026-8732 disclosed. ⚠️ Threat actors are actively exploiting a critical vulnerability in WP Maps Pro. CVE-2026-8732 (CVSS 9.8) lets unauthe
@lyrie_ai
8 Jun 2026
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Critical WP Maps Pro Flaw (#CVE-2026-8732, CVSS 98): Unauthenticated Admin Creation & Active Mass Exploitation + Video https://t.co/meqETBldnO Educational Purposes!
@UndercodeUpdate
6 Jun 2026
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2026-8732 2 - CVE-2026-23631 3 - CVE-2026-25243 4 - CVE-2026-46333 5 - CVE-2026-23479 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
4 Jun 2026
94 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-8732:WP Maps Proの脆弱性により、誰でもパスワードなしでWordPress管理画面を作成できてしまう CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password #SecurityAffairs (Jun 1) https://t.co/pu6jAAvB
@foxbook
2 Jun 2026
245 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE Alert — WP Maps Pro CVE-2026-8732 (CVSS 9.8) is being actively exploited in the wild. The vulnerability affects WP Maps Pro for WordPress and allows unauthenticated attackers to create administrator accounts, leading to full site compromise. Affected versions: 6.1.0 and
@CloneSystemsInc
1 Jun 2026
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WP Maps Pro Admin Account Creation (CVE-2026-8732) Attackers are exploiting a zero-auth flaw in WP Maps Pro to create rogue admin accounts on WordPress sites. One visit to a crafted URL, instant administrator access. CVE-2026-8732. ≤ v6.1.0 affected. 15,000 sites. Exploitation
@ElusivePrivacy
1 Jun 2026
347 Impressions
1 Retweet
2 Likes
0 Bookmarks
1 Reply
0 Quotes
A WP Maps Pro privilege escalation exploit (CVE-2026-8732) allows unauthenticated attackers to create admin accounts. 2,858 attacks blocked. https://t.co/dLzgMTz3nA #WPMapsPro #CVE #PrivilegeEscalation #WordPress #SiteTakeover #Unauthenticated #Wordfence #EnvatoMarket #InfoSec
@redsecuretech
1 Jun 2026
32 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2026-8732 — CVSS 9.8/10 ██████████ The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all... Severity: CRITICAL Patch now. #cybersecurity #CVE https://t.co/tEsLrfcFXy
@OrizonCyber
29 May 2026
78 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Critical CVE-2026-8732 (CVSS 9.8) in WP Maps Pro plugin allows unauthenticated attackers to create admin accounts via exposed AJAX endpoint. 15,000+ WordPress sites affected. Update to version 6.1.1 immediately. #DFIR_Radar https://t.co/T8dPz8O96k
@DFIR_Radar
28 May 2026
145 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes