Introduction
A single unauthenticated HTTP request is all it takes to create a full administrator account on any WordPress site running WP Maps Pro version 6.1.0 or earlier. The vulnerability, tracked as CVE-2026-8732 with a CVSS score of 9.8, turns a "temporary support access" feature into an open door for complete site takeover, no credentials required.
WP Maps Pro is a premium WordPress plugin developed by Flipper Code (also known as WePlugins) that provides store locator functionality, custom map creation, and integration with Google Maps, OpenStreetMap, and MapBox. Sold exclusively through CodeCanyon with over 19,400 sales, it occupies a meaningful share of the WordPress mapping plugin market. Its free counterpart, WP Maps, is distributed through the WordPress.org plugin repository, giving the Flipper Code mapping ecosystem a broad footprint across WordPress installations.
Technical Information
Root Cause: CWE-306 and the Nonce Misconception
CVE-2026-8732 falls under CWE-306: Missing Authentication for Critical Function. The core issue is an AJAX handler that performs an extremely sensitive operation (creating an administrator account) without any authentication or authorization check. The only gate is a WordPress nonce, and that nonce is publicly available on every page of the site.
WordPress nonces are CSRF protection tokens. They verify that a request originated from a page on the site. They do not verify the identity or authorization level of the requester. When a nonce is embedded in frontend markup visible to all visitors, it provides exactly zero access control value.
The Vulnerable AJAX Handler
The plugin registers the wpgmp_temp_access_ajax AJAX action using the wp_ajax_nopriv_ hook prefix. In WordPress, this prefix explicitly designates the handler as accessible to unauthenticated users. Any visitor, logged in or not, can invoke this handler by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to wpgmp_temp_access_ajax.
The handler performs a nonce verification using the fc-call-nonce value. However, this nonce is embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object. An attacker can extract this value by simply viewing the page source of any page on the target site.
Exploitation Flow
The attack chain is straightforward and can be executed with nothing more than a browser or a curl command:
Step 1: Obtain the nonce. The attacker visits any page on the target WordPress site and extracts the fc-call-nonce value from the wpgmp_local JavaScript object in the page source. This object is injected into every frontend page by the plugin via wp_localize_script.
Step 2: Send the AJAX request. The attacker sends a POST request to wp-admin/admin-ajax.php with the following parameters:
actionset towpgmp_temp_access_ajax- The extracted nonce value
check_tempset tofalse
Setting check_temp=false causes the wpgmp_temp_access_support handler to skip any temporal validation that might otherwise limit when the feature can be used. The parameter is attacker controlled, making this bypass trivial.
Step 3: Administrator account is created. The handler calls wp_insert_user() with a hardcoded role of administrator. There is no capability check, no role validation, and no configuration option that limits the role. Every successful invocation creates a full administrator account.
Step 4: Magic login URL is returned. The handler responds with a "magic login URL." When the attacker visits this URL, WordPress calls wp_set_auth_cookie(), establishing a fully authenticated administrator session. No password is needed. No login form interaction is required. The attacker has immediate, persistent administrative access to the entire WordPress installation.
Why This Is Particularly Dangerous
The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H captures the severity well: network accessible, low complexity, no privileges required, no user interaction needed, and complete impact across confidentiality, integrity, and availability. The entire exploitation chain can be automated trivially, placing it within the capability of automated scanning tools and low skill threat actors operating at scale.
The feature appears to have been designed as a temporary support access mechanism, likely intended to allow plugin support staff to log into a customer's site for troubleshooting. However, the implementation exposes this capability to the entire internet with no meaningful access control.
Affected Systems and Versions
| Attribute | Value |
|---|---|
| Plugin Name | WP Maps Pro |
| Plugin Slug | wp-google-map-gold |
| Affected Versions | All versions up to and including 6.1.0 |
| Patched Version | 6.1.1 |
| Platform | WordPress |
| Distribution | CodeCanyon (Envato Marketplace) |
| Installed Base | 19,400+ sales reported on CodeCanyon |
Any WordPress site running WP Maps Pro version 6.1.0 or earlier is vulnerable, regardless of WordPress version or server configuration. The vulnerability does not require any specific plugin settings or configurations to be exploitable; the vulnerable AJAX endpoint is active by default when the plugin is installed and activated.
It is worth noting that because WP Maps Pro is distributed through CodeCanyon rather than the WordPress.org repository, sites do not benefit from WordPress's built in auto update mechanism. Plugin updates must be downloaded and installed manually from the CodeCanyon marketplace, which historically results in slower patch adoption rates.
Vendor Security History
Flipper Code's mapping plugin family has a documented pattern of authorization related vulnerabilities that warrants attention:
| CVE | Plugin | Vulnerability Type | CVSS | CWE | Affected Versions | Patched In |
|---|---|---|---|---|---|---|
| CVE-2026-8732 | WP Maps Pro | Unauthenticated Privilege Escalation | 9.8 | CWE-306 | <= 6.1.0 | 6.1.1 |
| CVE-2025-39465 | WP Maps Pro | Missing Authorization | 4.3 | CWE-306 | <= 5.8.4 | 5.8.5 |
| CVE-2026-3222 | WP Maps (free) | Time-based Blind SQL Injection | N/A | N/A | <= 4.9.1 | N/A |
Both CVE-2025-39465 and CVE-2026-8732 share the same root CWE (CWE-306), indicating a systemic architectural weakness in how the vendor implements authorization controls. The earlier vulnerability allowed authenticated attackers with Subscriber level access to perform unauthorized actions. CVE-2026-8732 represents a far more severe manifestation of the same design flaw, escalating from authenticated to completely unauthenticated exploitation with maximum privilege gain.
The free counterpart plugin, WP Go Maps (formerly WP Google Maps), has 23 documented vulnerabilities on Wordfence, including unauthenticated stored cross site scripting, SQL injection, and multiple authorization bypass issues. Organizations using any Flipper Code mapping plugin should audit their entire mapping plugin footprint and evaluate whether the risk profile aligns with their security requirements.
Mitigation Recommendations
Upgrade immediately. The definitive fix is upgrading to WP Maps Pro version 6.1.1 or later. Given the trivial exploitation complexity and maximum impact, this should be treated as an emergency patching priority.
If patching is not immediately possible, deactivate the plugin. Removing the active plugin eliminates the vulnerable AJAX endpoint entirely. This is the most reliable compensating control short of patching.
Deploy WAF rules. Web application firewalls can be configured to block POST requests to wp-admin/admin-ajax.php containing action=wpgmp_temp_access_ajax. Wordfence Premium includes firewall rules designed to block attacks targeting known WordPress plugin vulnerabilities.
Audit for compromise indicators. After patching, review all WordPress administrator accounts for entries that were not intentionally created. Specific indicators to look for include:
- Administrator accounts with unfamiliar usernames or recent creation dates
- POST requests in server logs to
wp-admin/admin-ajax.phpcontainingaction=wpgmp_temp_access_ajaxandcheck_temp=false - Authentication cookies or active sessions for unrecognized user accounts
If any indicators of compromise are found, assume full site takeover and conduct a thorough incident response, including reviewing all site content, checking for backdoors, and resetting all user credentials.
Evaluate long term plugin strategy. Given the recurring CWE-306 pattern in this plugin's history, organizations with strict security requirements should consider migrating to an alternative mapping plugin with a stronger security track record.
Threat Landscape Context
As of May 29, 2026, no confirmed active exploitation of CVE-2026-8732 has been reported. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. However, the vulnerability was publicly disclosed less than 24 hours ago, and several characteristics make it a strong candidate for near term weaponization.
The exploitation requires no authentication, no user interaction, no special tools, and no exploit development expertise. A single HTTP POST with publicly obtainable parameters is sufficient. This places it well within the capability of automated scanning botnets that routinely target WordPress plugin vulnerabilities at scale.
Historical precedent supports this assessment. The Patchstack State of WordPress Security in 2026 report describes privilege escalation flaws as among the most commonly exploited vulnerability categories in the WordPress ecosystem. A comparable vulnerability in the Modular DS Connector plugin (CVE-2026-23550), which also allowed unauthenticated admin account creation, was reported to put approximately 40,000 WordPress sites at risk.
The CodeCanyon distribution model compounds the risk. Unlike plugins hosted on WordPress.org, CodeCanyon plugins do not benefit from WordPress's built in update notifications and auto update features. This means the window between patch availability and actual patch adoption is likely to be significantly longer, giving threat actors more time to exploit unpatched installations.
References
- NVD Entry for CVE-2026-8732
- Wordfence Advisory: WP Maps Pro <= 6.1.0 Unauthenticated Privilege Escalation
- Wordfence Vulnerability Database: WP Maps Pro
- CodeCanyon Listing: Store Locator for WordPress
- CWE-306: Missing Authentication for Critical Function
- Wordfence Advisory: Advanced Google Maps <= 5.8.4 Missing Authorization (CVE-2025-39465)
- Wordfence Vulnerability Database: WP Go Maps
- Patchstack: State of WordPress Security in 2026
- CISA Known Exploited Vulnerabilities Catalog
- WordPress.org: WP Maps Plugin
- Wordfence Intelligence



