Privilege Escalation in WP Maps Pro Plugin by WordPress
CVE-2026-8732
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 29 May 2026
Badges
What is CVE-2026-8732?
CVE-2026-8732 is a serious privilege escalation vulnerability found in the WP Maps Pro plugin for WordPress, impacting all versions up to and including 6.1.0. This plugin is designed to facilitate the integration of map functionalities into WordPress sites, allowing users to display Google Maps and related features seamlessly. The identified flaw is linked to the AJAX action wpgmp_temp_access_ajax, which is improperly protected due to its registration with the wp_ajax_nopriv_ action and reliance on a nonce that is exposed to the public. As a result, unauthenticated attackers can exploit this vulnerability to create a new administrator account without authorization. Once created, the attacker receives a login URL that grants them complete access and control over the site, effectively enabling a takeover. Organizations utilizing this plugin risk significant operational disruption, data compromise, and loss of control over their web presence.
Potential impact of CVE-2026-8732
-
Complete Site Takeover: The vulnerability allows attackers to gain full administrative rights, enabling them to modify site content, install malicious plugins, or even delete the entire site.
-
Data Breach and Compromise: Once an attacker has administrative access, there is a significant risk of data theft, including sensitive customer information, which can lead to privacy violations and regulatory repercussions.
-
Reputation Damage: Organizations affected by this vulnerability may suffer reputational harm due to potential downtime, data leaks, or inappropriate content placed on their sites, which can erode user trust and impact customer relationships.
Affected Version(s)
WP Maps Pro 0 <= 6.0.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
WebpronewsCVE-2026-8732Critical WordPress Plugin Flaw Exposes 15,000 Sites to Instant Admin Takeover
A critical unauthenticated admin account creation flaw in WP Maps Pro (CVE-2026-8732) has triggered over 3,600 exploitation attempts in a single day across 15,000+ sites. The bug in the plugin's temporary access feature allows instant site takeover via a publicly exposed AJAX action. Updates and use...
3 weeks ago
TnwWP Maps Pro WordPress flaw exploited to create admin accounts
CVE-2026-8732 in WP Maps Pro lets unauthenticated attackers create admin accounts on 15,000+ WordPress sites. Wordfence blocked 2,858 attacks in 24 hours.
3 weeks ago
It Security NewsCVE-2026-8732WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites - IT Security News
The security defect (CVE-2026-8732) allows unauthenticated attackers to create administrative accounts on the affected installations. The post WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites appeared first on SecurityWeek. This article has been indexed from SecurityWeek Read theโฆRea...
3 weeks ago
References
CVSS V3.1
Timeline
- ๐
Vulnerability started trending
- ๐ฐ
First article discovered by BleepingComputer
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved