A critical flaw in WP Maps Pro (CVE-2026-8732, CVSS 9.8) lets any unauthenticated visitor create a WordPress administrator account — and receive a passwordless login URL that drops them straight into that account. It's already being exploited in the wild, with WordPress security firm Defiant (Wordfence) blocking more than 3,600 attempts in a single 24-hour period. If you run WP Maps Pro, patch now.
What the Vulnerability Is
The bug comes from the plugin's "temporary access" feature — intended to let vendor support staff reach a customer site for troubleshooting. The AJAX endpoint behind it, wpgmp_temp_access_ajax, is registered with wp_ajax_nopriv_, meaning unauthenticated users can call it. Its only protection is a nonce check using the fc-call-nonce value.
That nonce is not a secret. WP Maps Pro embeds it into every frontend page via wp_localize_script, as the nonce field of the wpgmp_local JavaScript object. Anyone can read it from the page source. With the nonce in hand, the only barrier to the endpoint is gone.
A single crafted request then tells the plugin to create a new WordPress user, assign it the administrator role, generate a passwordless login URL, and send that URL to a remote system. The attacker visits the URL and is automatically authenticated as the new admin — no password, no verification.
Why It Matters
- Unauthenticated, full takeover, CVSS 9.8. No login required; the outcome is a working admin session.
- The "protection" was never real. A nonce printed into public page source provides no security against an unauthenticated attacker.
- Passwordless by design (for the attacker). The auto-login URL means there's nothing to brute-force — exploitation is instant.
- Actively exploited. Public PoCs exist and Wordfence blocked 3,600+ attempts in 24 hours.
Am I Affected?
All versions of WP Maps Pro up to and including 6.1.0 are vulnerable. The fix shipped in 6.1.1 on May 20, 2026.
Remediation
Update immediately
Upgrade WP Maps Pro to 6.1.1 or later now. If you can't update right away, deactivate the plugin until you can.
Hunt for rogue admins
Because exploitation creates an administrator account, check Users → All Users and filter by Administrator. Delete any account you don't recognize, and pay attention to accounts created recently or with unusual usernames/emails.
Lock down and recover
If you find a rogue admin: rotate all admin passwords, invalidate active sessions, review file changes and scheduled tasks for backdoors, and restore from a known-good backup if integrity is in doubt. Don't assume deleting the one visible account is enough.
Quick-Win Checklist
- Update WP Maps Pro to 6.1.1+ (or deactivate it) immediately.
- Review all administrator accounts and remove unrecognized ones.
- Rotate admin passwords and force-logout all sessions.
- Search logs for requests to the
wpgmp_temp_access_ajaxaction. - Check for backdoors in files, plugins, and wp-cron tasks.
- If compromised, rebuild from clean sources rather than just removing the rogue user.
Sources
- The Hacker News: Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
- BleepingComputer: WP Maps Pro bug exploited to create admin accounts
- Security Affairs: The WP Maps Pro flaw that lets anyone create a WordPress admin without a password
- Threat-Modeling.com: WP Maps Pro Privilege Escalation (CVE-2026-8732)
