CVE-2026-8732

Published May 29, 2026

Last updated a month ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-8732 is a privilege escalation vulnerability found in the WP Maps Pro plugin for WordPress, affecting all versions up to and including 6.1.0. The flaw stems from the `wpgmp_temp_access_ajax` AJAX action, which was registered to be accessible by unauthenticated users (`wp_ajax_nopriv_`). Although a nonce check was in place, the required nonce (`fc-call-nonce`) was publicly embedded into every frontend page of the website via `wp_localize_script`, making it easily retrievable by an attacker. This design oversight allows unauthenticated attackers to extract the publicly available nonce and then invoke the `wpgmp_temp_access_support` handler with a specific parameter (`check_temp=false`). This action unconditionally creates a new WordPress user with administrator privileges and provides a "magic login URL." By visiting this URL, the attacker is fully authenticated as the newly created administrator, enabling a complete takeover of the affected WordPress site. The vulnerability was discovered by security researcher David Brown and has been addressed in version 6.1.1 of the plugin.

Description
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
Source
security@wordfence.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-306

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

2

  1. 👾 CVE-2026-8732: WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action Critical Vulnerability Alert! WordPress Maps Pro Plugin is affected by CVE-2026-8732. #cybersecurity #bugbounty #Vulnerabi

    @TodayCyberNews

    12 Jul 2026

    715 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  2. 08:50 UTC: CVE-2026-8732 disclosed. ⚠️ Threat actors are actively exploiting a critical vulnerability in WP Maps Pro. CVE-2026-8732 (CVSS 9.8) lets unauthe

    @lyrie_ai

    8 Jun 2026

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 🚨 Critical WP Maps Pro Flaw (#CVE-2026-8732, CVSS 98): Unauthenticated Admin Creation & Active Mass Exploitation + Video https://t.co/meqETBldnO Educational Purposes!

    @UndercodeUpdate

    6 Jun 2026

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2026-8732 2 - CVE-2026-23631 3 - CVE-2026-25243 4 - CVE-2026-46333 5 - CVE-2026-23479 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    4 Jun 2026

    94 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2026-8732:WP Maps Proの脆弱性により、誰でもパスワードなしでWordPress管理画面を作成できてしまう CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password #SecurityAffairs (Jun 1) https://t.co/pu6jAAvB

    @foxbook

    2 Jun 2026

    245 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE Alert — WP Maps Pro CVE-2026-8732 (CVSS 9.8) is being actively exploited in the wild. The vulnerability affects WP Maps Pro for WordPress and allows unauthenticated attackers to create administrator accounts, leading to full site compromise. Affected versions: 6.1.0 and

    @CloneSystemsInc

    1 Jun 2026

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. WP Maps Pro Admin Account Creation (CVE-2026-8732) Attackers are exploiting a zero-auth flaw in WP Maps Pro to create rogue admin accounts on WordPress sites. One visit to a crafted URL, instant administrator access. CVE-2026-8732. ≤ v6.1.0 affected. 15,000 sites. Exploitation

    @ElusivePrivacy

    1 Jun 2026

    347 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. A WP Maps Pro privilege escalation exploit (CVE-2026-8732) allows unauthenticated attackers to create admin accounts. 2,858 attacks blocked. https://t.co/dLzgMTz3nA #WPMapsPro #CVE #PrivilegeEscalation #WordPress #SiteTakeover #Unauthenticated #Wordfence #EnvatoMarket #InfoSec

    @redsecuretech

    1 Jun 2026

    32 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 CVE-2026-8732 — CVSS 9.8/10 ██████████ The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all... Severity: CRITICAL Patch now. #cybersecurity #CVE https://t.co/tEsLrfcFXy

    @OrizonCyber

    29 May 2026

    78 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Critical CVE-2026-8732 (CVSS 9.8) in WP Maps Pro plugin allows unauthenticated attackers to create admin accounts via exposed AJAX endpoint. 15,000+ WordPress sites affected. Update to version 6.1.1 immediately. #DFIR_Radar https://t.co/T8dPz8O96k

    @DFIR_Radar

    28 May 2026

    145 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes