CVE-2026-8732
Deferred Deferred - Pending Action
Privilege Escalation via Administrator Account Creation in WP Maps Pro

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8732
EUVD
EUVD-2026-33251
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
flippercode store_locator_for_wordpress_google_maps_openstreetmap_mapbox to 6.1.2 (exc)
flippercode store_locator_for_wordpress_google_maps_openstreetmap_mapbox to 6.1.0 (inc)
wordfence wp_maps_pro to 6.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Maps Pro plugin for WordPress has a vulnerability that allows an attacker to escalate their privileges by creating an administrator account without authentication.

This happens because the plugin registers an AJAX action that is supposed to be protected by a nonce check, but the nonce is publicly available on every frontend page, making the protection ineffective.

An unauthenticated attacker can exploit this by invoking a specific handler that creates a new WordPress user with administrator privileges and provides a magic login URL that authenticates the attacker as that administrator, leading to complete site takeover.

Impact Analysis

This vulnerability can have severe impacts including complete takeover of your WordPress site by an attacker.

An attacker can create an administrator account without any authentication, allowing them full control over the site.

This can lead to unauthorized changes, data theft, defacement, installation of malicious code, or further attacks on site visitors.

Detection Guidance

Detection of this vulnerability involves checking if the affected plugin version is installed and if the vulnerable AJAX action is accessible without authentication.

One approach is to verify the plugin version installed on your WordPress site. Versions up to and including 6.1.0 are vulnerable.

You can also attempt to detect the presence of the vulnerable AJAX action by sending an HTTP POST request to the WordPress admin-ajax.php endpoint with the action parameter set to wpgmp_temp_access_ajax and check for responses indicating user creation.

  • Use curl or similar tools to send a POST request to: https://your-wordpress-site.com/wp-admin/admin-ajax.php with data: action=wpgmp_temp_access_ajax&check_temp=false&nonce=fc-call-nonce (nonce can be extracted from the frontend JavaScript object wpgmp_local).
  • Check WordPress user list for any unexpected new administrator accounts.
Mitigation Strategies

The immediate and most effective mitigation is to update the Store Locator for WordPress plugin to version 6.1.2 or later, where the temporary access feature causing the vulnerability has been removed.

If updating is not immediately possible, restrict access to the vulnerable AJAX action by implementing additional access controls or disabling the plugin temporarily.

Additionally, review your WordPress user accounts for any unauthorized administrator accounts and remove them.

Monitor your site for suspicious activity and consider resetting administrator passwords.

Compliance Impact

The vulnerability allows unauthenticated attackers to create administrator accounts and take over WordPress sites using the affected plugin. This complete site takeover can lead to unauthorized access to sensitive data, potentially violating data protection regulations such as GDPR and HIPAA that require strict access controls and protection of personal and health information.

By enabling privilege escalation and unauthorized administrative access, the vulnerability undermines the security measures necessary to maintain compliance with these standards, increasing the risk of data breaches and non-compliance penalties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart