An urgent vulnerability (CVE-2026-8732) has been discovered in "WP Maps Pro," a feature-rich map plugin for WordPress. If exploited, this vulnerability allows unauthenticated remote attackers to create new administrator accounts for a site without a password, leading to complete control over the website. Attacks targeting this vulnerability are currently being actively observed, and all site operators using WP Maps Pro must immediately update the plugin to the latest version.
Vulnerability Overview and Scope
This vulnerability (CVE-2026-8732) exists in WP Maps Pro plugin versions 6.1.0 and earlier. There is a fundamental flaw in the implementation of the plugin's "temporary access" feature, where an AJAX endpoint (wpgmp_temp_access_ajax), intended for support staff to log into customer sites, was accessible to unauthenticated users. Furthermore, this feature relied solely on a Nonce check to prevent Cross-Site Request Forgery (CSRF), but the Nonce was publicly exposed via frontend JavaScript, rendering it ineffective as a security measure.
Specific Impact and Attack Scenario
Attackers can leverage the publicly exposed Nonce to send a crafted request, thereby creating a new WordPress user with administrator privileges. This process does not require a password; instead, through an automatically generated "magic login URL," attackers can log into the newly created administrator account and seize complete control of the site. This allows for all kinds of malicious operations, such as installing backdoors, tampering with content, accessing sensitive data, and installing web shells or malicious plugins.
WordPress security company Wordfence reported blocking thousands of attacks targeting this vulnerability within 24 hours, and Defiant has similarly observed over 3,600 attacks. This aligns with the trend of WordPress plugin vulnerabilities where widespread exploitation begins almost immediately upon the release of a Proof-of-Concept (PoC).
Actions Engineers Must Take Immediately
If you are using the WP Maps Pro plugin, prioritize updating to version 6.1.1 or later. If an immediate update is not possible, it is strongly recommended to temporarily deactivate or delete the WP Maps Pro plugin. Additionally, check your WordPress user list for any known unauthorized administrator accounts. In the unlikely event that an unfamiliar administrator account has been created, delete it immediately and conduct a comprehensive security audit of your entire site.
As an urgent mitigation, blocking access to the vulnerable AJAX endpoint in your web server's WAF settings or .htaccess file is also effective. Below is an Nginx configuration example, but similar measures can be implemented using .htaccess.
location = /wp-admin/admin-ajax.php {
if ($query_string ~ "(^|&)action=wpgmp_temp_access_ajax(&|$)") {
return 403;
}
# 通常のadmin-ajax.phpの処理を続行
try_files $uri $uri/ /index.php?$args;
}This configuration blocks requests to `/wp-admin/admin-ajax.php` with a query string containing `action=wpgmp_temp_access_ajax` and returns a 403 Forbidden error. This is a temporary mitigation, and a plugin update is essential for a permanent solution.
📦Reference Sources / Official Patch Information
- Wordfence - CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password↗
- WP Maps Pro bug exploited to create admin accounts on WordPress sites - BleepingComputer↗
- National Vulnerability Database (NVD) - CVE-2026-8732 (Tentative) *Will be updated upon publication↗
- WP Maps Pro Plugin Official Page (Check for update information)↗