WP Maps Pro CVE-2026-8732 exploitation

Summary

CVE-2026-8732 is an unauthenticated privilege-escalation flaw in the WP Maps Pro WordPress plugin. NVD describes the issue as administrator-account creation through the wpgmp_temp_access_ajax AJAX action in all versions up to and including 6.1.0.

The durable threat-intelligence value is active exploitation against WordPress sites: The Hacker News reported on 2026-06-01 that attackers were attempting to exploit the flaw to create malicious administrator accounts, citing Wordfence telemetry that blocked 2,858 attacks in the previous 24 hours.

Why this matters

The bug gives unauthenticated attackers a direct route to WordPress administrator access on vulnerable sites.
WP Maps Pro is a commercial maps / store-locator plugin with more than 15,000 Envato Market sales, so exposed installs are likely to be distributed across small-business and e-commerce sites as well as larger organizations.
Administrator-account creation should be treated as likely full site compromise: web shells, plugin/theme changes, SEO spam, credential theft, and persistence can follow quickly.

Operational characteristics

Affected product: WP Maps Pro / wp-google-map-gold WordPress plugin.
Affected versions: all versions up to and including 6.1.0, according to NVD and Wordfence-referenced reporting.
Vulnerable path: wpgmp_temp_access_ajax is registered for unauthenticated AJAX access with wp_ajax_nopriv_.
Failed access control: NVD says the endpoint is protected only by the fc-call-nonce nonce, which is publicly embedded into frontend pages through wp_localize_script as the nonce field of the wpgmp_local JavaScript object.
Exploit outcome: unauthenticated attackers can invoke wpgmp_temp_access_support with check_temp=false, creating a new WordPress user with the hardcoded administrator role and returning a magic login URL.
Fix: The Hacker News reported the issue was addressed in 6.1.1, released on 2026-05-20, by limiting endpoint access to authenticated administrators.
Exploitation status: The Hacker News reported active exploitation on 2026-06-01 and cited Wordfence blocking 2,858 attacks over the prior 24 hours.

Defender heuristics

Upgrade WP Maps Pro to 6.1.1 or later; if immediate patching is not possible, remove or disable the plugin from internet-facing WordPress sites.
Hunt WordPress users created after the exposure window, especially unexpected administrators or users with creation times near plugin activity.
Review access logs for unauthenticated requests to WordPress AJAX endpoints tied to wpgmp_temp_access_ajax / wpgmp_temp_access_support, unusual requests to plugin paths, and follow-on logins using newly created accounts.
Inspect plugin/theme files, uploads directories, scheduled tasks, .htaccess, wp-config.php, and recently modified PHP files for post-exploitation changes.
Rotate WordPress administrator passwords, application passwords, database credentials, hosting-panel credentials, and API keys after confirmed exploitation; preserve web logs, WordPress logs, filesystem mtimes, and database user tables before cleanup where incident response matters.
Add WAF / virtual-patching rules for the AJAX action as a temporary control, but do not treat filtering as a substitute for upgrading or removing the vulnerable plugin.

Sources

The Hacker News: https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8732
Wordfence vulnerability record: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-map-gold/wp-maps-pro-610-unauthenticated-privilege-escalation-via-administrator-account-creation-to-wpgmp-temp-access-ajax-ajax-action
Wordfence blog: https://www.wordfence.com/blog/2026/05/15000-wordpress-sites-affected-by-administrator-account-creation-vulnerability-in-wp-maps-pro-wordpress-plugin/