CVE-2026-8732
WordPress · WP Maps Pro Plugin
The WP Maps Pro plugin for WordPress contains a privilege escalation vulnerability that allows unauthenticated attackers to create new administrator accounts and gain full site control.
Executive summary
An unauthenticated privilege escalation vulnerability in the WP Maps Pro plugin allows attackers to achieve full administrative site takeover.
Vulnerability
The plugin registers an AJAX action with insufficient access control, relying on a publicly accessible nonce to protect sensitive functions. Unauthenticated attackers can invoke this handler to create a new administrator account and authenticate as that user via a generated login URL.
Business impact
This vulnerability carries a CVSS score of 9.8, indicating a critical severity level. Successful exploitation results in complete site takeover, granting the attacker full control over the WordPress environment, including access to sensitive customer data, the ability to modify site content, and the potential to distribute malware to visitors.
Remediation
Immediate Action: Immediately update the WP Maps Pro plugin to the latest available version provided by the vendor. If an update is not immediately available, deactivate and remove the plugin until a patch is applied.
Proactive Monitoring: Review WordPress user account logs for the creation of unexpected administrator accounts. Monitor AJAX traffic for requests to the wpgmp_temp_access_ajax action.
Compensating Controls: Implement a Web Application Firewall (WAF) to block unauthorized requests to AJAX endpoints associated with the plugin.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical nature of this privilege escalation flaw, immediate action is required to secure affected WordPress installations. Administrators should prioritize updating or removing the vulnerable plugin to prevent unauthorized administrative access and potential site compromise.