Threat actors are actively attempting to exploit a critical security flaw affecting WP Maps Pro, a widely used WordPress plugin that has recorded more than 15,000 sales through Envato Market. Security researchers have warned that attackers are using the vulnerability to create unauthorized administrator accounts on affected websites, potentially giving them complete control over compromised systems. The plugin is commonly used by website owners to embed customizable Google Maps and OpenStreetMap services into WordPress websites, enabling advanced location features, listings, markers, and store locator functionality for businesses and organizations.
The vulnerability, tracked as CVE-2026-8732, carries a critical CVSS severity score of 9.8 and has been identified as a privilege escalation flaw. According to security findings, the issue allows unauthenticated attackers to create WordPress accounts with administrator level privileges, effectively bypassing normal authentication requirements. Once administrator access is obtained, attackers can potentially modify website settings, upload malicious files, alter content, or fully take over a website. Researchers confirmed that the flaw impacts all WP Maps Pro versions up to and including version 6.1.0, while plugin maintainers addressed the issue in version 6.1.1. Security researcher David Brown has been credited for identifying and responsibly reporting the vulnerability.
At the core of the issue is a “temporary access” functionality designed to assist customer support teams during troubleshooting sessions. This feature was intended to help support staff temporarily log into customer websites for technical assistance. However, researchers found that the implementation lacked sufficient access controls, allowing unauthenticated users to trigger a sensitive function without proper verification. According to cybersecurity firm Wordfence, the plugin registers an AJAX action called “wpgmp_temp_access_ajax” using “wp_ajax_nopriv_,” which makes it accessible without requiring user authentication. While the system attempted to secure access using a nonce verification method, researchers explained that the protection mechanism became ineffective because the required nonce value was publicly embedded into frontend website pages through JavaScript objects, allowing attackers to access and misuse it.
Security experts further explained that attackers could exploit the flaw by invoking the “wpgmp_temp_access_support” function with a manipulated parameter that bypasses validation checks and automatically creates a new WordPress administrator account through the “wp_insert_user()” function. The attack chain then provides a special login link that triggers authentication cookies, immediately logging attackers into the website as administrators. This process effectively gives threat actors unrestricted administrative access without needing valid credentials, making the flaw particularly dangerous for unpatched websites.
Plugin maintainers released a security patch on May 20, 2026, to address the issue by restricting access to the vulnerable endpoint so that only authenticated administrators can use it. Despite the availability of a fix, cybersecurity experts have warned that active exploitation attempts are already taking place. Wordfence reported blocking 2,858 attack attempts targeting the vulnerability within a 24 hour period, indicating growing interest among threat actors. Security professionals strongly recommend that website owners using WP Maps Pro immediately update to version 6.1.1 or later to reduce exposure and strengthen website security against potential compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
