A critical vulnerability tracked as CVE-2026-8732 in the WP Maps Pro WordPress plugin is currently being actively exploited, allowing attackers to create administrator accounts without any authentication. Within just 24 hours, thousands of attack attempts have already been detected and blocked.
WP Maps Pro is a widely used plugin designed to help website owners integrate interactive maps such as Google Maps and OpenStreetMap into their sites, complete with location markers, listings, and search features. With over 15,000 installations based on marketplace data, the plugin has a significant user base, making it an attractive target for attackers.
The flaw carries a CVSS score of 9.8, indicating a critical severity level. The vulnerability originates from a “temporary access” feature intended to assist support staff in troubleshooting customer websites. This feature exposed an AJAX endpoint (wpgmp_temp_access_ajax) that was incorrectly configured to allow unauthenticated access through WordPress’s wp_ajax_nopriv_ mechanism.
Although a nonce was implemented as a security measure, it was ineffective because the value was publicly embedded in every page of the website’s frontend. This effectively allowed anyone to retrieve the nonce and use it to interact with the vulnerable endpoint.
By exploiting this flaw, an attacker can send a specially crafted request to the endpoint and trigger functionality that creates a new WordPress user with full administrator privileges. The system then generates a unique login URL which, when accessed, automatically authenticates the attacker by setting a valid session cookie. This results in complete control over the affected website without requiring legitimate credentials.
The underlying issue highlights a major design flaw: the misuse of nonces as an authentication mechanism. Nonces are intended to prevent cross-site request forgery (CSRF), not to restrict access to sensitive functionality. In this case, relying on a publicly exposed nonce to protect an admin-level action rendered the safeguard useless.
This vulnerability was discovered by security researcher David Brown through the Wordfence Bug Bounty Program, earning a reward of $1,950 for the report. The plugin developers addressed the issue on May 20, 2026, by releasing version 6.1.1, which restricts access to the vulnerable functionality so that only authenticated administrators can use it. All earlier versions, up to 6.1.0, remain exposed.
Despite the availability of a fix, attackers began exploiting the flaw almost immediately after disclosure. Wordfence reported blocking over 2,800 attack attempts within a single day, demonstrating how quickly threat actors can weaponize newly discovered vulnerabilities in widely used WordPress plugins.
The rapid escalation in attacks reflects a common pattern in the WordPress ecosystem, where publicly available proof-of-concept exploits quickly lead to mass exploitation, especially given that many site owners delay or neglect plugin updates.
For website administrators using WP Maps Pro, immediate action is critical. Updating to version 6.1.1 will eliminate the vulnerability. If applying the update is not immediately possible, disabling the plugin entirely is strongly recommended until patching can be completed.
Failure to address the issue can result in full site compromise. Once attackers gain administrator access, they can install malicious backdoors, redirect traffic, inject harmful content, or extract sensitive data stored on the site. While applying the update is a quick and simple process, recovering from a complete takeover can be significantly more complex and time-consuming.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
