CVE-2026-8732: WP Maps Pro Privilege Escalation Flaw

CVE-2026-8732 Overview

CVE-2026-8732 is a privilege escalation vulnerability in the WP Maps Pro plugin for WordPress affecting all versions up to and including 6.1.0. The flaw resides in the wpgmp_temp_access_ajax AJAX action, which is registered with wp_ajax_nopriv_ and guarded only by a nonce that the plugin publicly embeds into every frontend page. Unauthenticated attackers can invoke the wpgmp_temp_access_support handler with check_temp=false to create a new administrator account and receive a magic login URL. Visiting that URL authenticates the attacker as the new administrator, resulting in complete site takeover [CWE-306].

Critical Impact

Unauthenticated attackers can create administrator accounts and fully take over any WordPress site running WP Maps Pro 6.1.0 or earlier.

Affected Products

• WP Maps Pro plugin for WordPress, all versions through 6.1.0
• WordPress sites that distribute the wpgmp_local JavaScript object on frontend pages
• Advanced Google Maps Plugin for WordPress (Codecanyon distribution)

Discovery Timeline

• 2026-05-29 - CVE-2026-8732 published to the National Vulnerability Database (NVD)
• 2026-05-29 - Last updated in NVD database

Technical Details for CVE-2026-8732

Vulnerability Analysis

The vulnerability stems from treating a publicly exposed nonce as an authentication boundary. WP Maps Pro registers the wpgmp_temp_access_ajax action through both wp_ajax_ and wp_ajax_nopriv_ hooks, allowing unauthenticated requests. The handler then verifies the fc-call-nonce nonce before processing the request.

That nonce is injected into every frontend page through wp_localize_script as part of the wpgmp_local JavaScript object. Any anonymous visitor can scrape the nonce from the page source and submit valid requests. WordPress nonces protect against CSRF, not against unauthorized access, so the plugin lacks a real authorization check on a privileged action.

When the handler runs the wpgmp_temp_access_support branch with the parameter check_temp=false, it unconditionally calls wp_insert_user() with a hardcoded administrator role. The function returns a magic login URL that invokes wp_set_auth_cookie(), authenticating the caller as the newly created administrator.

Root Cause

The root cause is missing authentication on a critical function [CWE-306]. The developer used a nonce as the sole gate on a handler that creates privileged accounts. Because the nonce is rendered to every frontend visitor and the AJAX action is registered for unauthenticated users, the control provides no security value.

Attack Vector

The attack is remote, network-based, and requires no authentication or user interaction. An attacker fetches any frontend page that loads WP Maps Pro, extracts the fc-call-nonce value from the wpgmp_local object in the HTML, and sends a POST request to admin-ajax.php invoking wpgmp_temp_access_ajax with check_temp=false. The response contains a magic login URL that the attacker visits to gain administrator-level session cookies.

With administrator access, the attacker can install malicious plugins, modify themes to drop PHP webshells, exfiltrate database contents, and pivot to the underlying host depending on the WordPress configuration. The vulnerability mechanism is documented in the Wordfence Vulnerability Report.

Detection Methods for CVE-2026-8732

Indicators of Compromise

• POST requests to /wp-admin/admin-ajax.php with action=wpgmp_temp_access_ajax originating from unauthenticated sessions
• Newly created WordPress users with the administrator role that do not correspond to legitimate provisioning workflows
• Successful authentication cookies issued shortly after an admin-ajax.php call to the WP Maps Pro handler
• Unexpected plugin installations, theme file modifications, or PHP files written under wp-content/uploads

Detection Strategies

• Inspect web server access logs for admin-ajax.php requests carrying the wpgmp_temp_access_support parameter and check_temp=false
• Alert on creation of any WordPress user assigned the administrator role outside of approved change windows
• Correlate user creation events in the wp_users table with the IP address of the preceding AJAX call to identify the attacker session

Monitoring Recommendations

• Forward WordPress audit logs and web server access logs to a centralized SIEM for query and correlation
• Monitor file integrity on wp-content/plugins/ and wp-content/themes/ to identify post-exploitation persistence
• Track outbound connections from the web host that follow new administrator account creation, which often indicate webshell callbacks

How to Mitigate CVE-2026-8732

Immediate Actions Required

• Disable or uninstall the WP Maps Pro plugin on all WordPress instances running version 6.1.0 or earlier until a patched release is verified
• Audit the wp_users table for unexpected administrator accounts and remove any unauthorized entries
• Rotate credentials, secret keys in wp-config.php, and active session cookies for all administrator accounts
• Review installed plugins, themes, and uploaded files for backdoors introduced after the first known exposure

Patch Information

At the time of NVD publication on 2026-05-29, no fixed version has been confirmed in the available references. Monitor the Wordfence Vulnerability Report and the Codecanyon plugin page for vendor updates and apply the patched version as soon as it is released.

Workarounds

• Block requests to admin-ajax.php containing action=wpgmp_temp_access_ajax at the web application firewall or reverse proxy
• Restrict access to /wp-admin/admin-ajax.php from unauthenticated clients where business logic allows
• Deactivate the plugin entirely on production sites until a vendor patch is verified

# Example WAF rule (ModSecurity) to block exploitation attempts
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
  "chain,deny,status:403,id:1026873200,\
   msg:'Block CVE-2026-8732 WP Maps Pro privilege escalation'"
  SecRule ARGS:action "@streq wpgmp_temp_access_ajax"