A maximum-severity unauthenticated privilege escalation vulnerability in WP Maps Pro a popular WordPress mapping plugin with over 15,000 sales on CodeCanyon is being actively exploited in the wild, allowing threat actors to silently create rogue administrator accounts and seize full control of affected websites.
Tracked as CVE-2026-8732 and carrying a CVSS score of 9.8 (Critical), the flaw affects all plugin versions up to and including 6.1.0. Classified under CWE-306 (Missing Authentication for Critical Function), the vulnerability requires no privileges, no user interaction, and is fully exploitable over the network.
The flaw originates in the plugin’s built-in “temporary access” feature, designed to allow vendor staff to log in to customer sites during troubleshooting. The AJAX action wpgmp_temp_access_ajax was registered using WordPress’s wp_ajax_nopriv_ hook, making it accessible to completely unauthenticated users.
Its only protection was a nonce check but that nonce (fc-call-nonce) is publicly embedded into every frontend page of the affected site via wp_localize_script, rendering it entirely ineffective as an access control mechanism, Wordfence said.
By sending a simple POST request to the exposed AJAX endpoint with the parameter check_temp=false, an attacker triggers the wpgmp_temp_access_support() function.
This function unconditionally calls WordPress’s wp_insert_user() to create a new account with a hardcoded administrator role, a randomly generated username prefixed with fc_user_, and the hardcoded email address support@flippercode.com.
The function then generates a “magic login URL” and returns it directly in the HTTP response body. When the attacker visits that URL, the plugin calls wp_set_auth_cookie() to fully authenticate them as the new administrator no password or further verification required, according to Wordfence’s analysis.
Active exploitation has already been confirmed in the wild. Threat actors leveraging this vulnerability have been observed installing malicious plugins, injecting persistent backdoors, deploying web shells, exfiltrating sensitive data, and defacing site content the full range of post-compromise tactics available to a WordPress administrator.
Security researcher David Brown responsibly disclosed the flaw through the Wordfence Bug Bounty Program on March 24, 2026. With no direct vendor contact available, Wordfence escalated to the Envato security team on May 16, 2026, who forwarded the report to the developer.
A fully patched version, 6.1.1, was released on May 20, 2026. The fix adds a current_user_can('manage_options') capability check at the top of the AJAX callback, immediately rejecting unauthenticated requests with a 403 Unauthorized error before any account creation logic executes.
Mitigation
- Update WP Maps Pro to version 6.1.1 immediately this is an emergency patch priority
- Audit all WordPress administrator accounts and remove any suspicious entries with usernames beginning with
fc_user_or using the emailsupport@flippercode.com - Review server and access logs for unusual POST requests targeting the
wpgmp_temp_access_ajaxAJAX action - Deploy a Web Application Firewall (WAF) to block exploitation attempts across all unpatched instances
Given the zero-authentication barrier, a publicly available proof-of-concept, and confirmed in-the-wild exploitation, CVE-2026-8732 demands immediate remediation. Any site running WP Maps Pro below version 6.1.1 should be considered actively at risk.
No Comment! Be the first one.