{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wp-maps-pro-plugin--6.1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-8732"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP Maps Pro plugin \u003c= 6.1.0"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","wordpress","plugin","CVE-2026-8732"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Maps Pro plugin, in versions up to and including 6.1.0, contains a privilege escalation vulnerability (CVE-2026-8732) exploitable by unauthenticated attackers. The vulnerability stems from the \u003ccode\u003ewpgmp_temp_access_ajax\u003c/code\u003e AJAX action, intended for temporary access support, which is inadequately protected.  The nonce check, meant to restrict access, relies on the \u003ccode\u003efc-call-nonce\u003c/code\u003e which is publicly exposed on every frontend page. This renders the nonce check ineffective, enabling unauthorized users to invoke the \u003ccode\u003ewpgmp_temp_access_support\u003c/code\u003e handler. The \u003ccode\u003echeck_temp=false\u003c/code\u003e parameter bypasses intended checks, leading to the unconditional creation of a new WordPress administrator account via the \u003ccode\u003ewp_insert_user()\u003c/code\u003e function. The plugin then returns a magic login URL that, when visited, calls \u003ccode\u003ewp_set_auth_cookie()\u003c/code\u003e to authenticate the attacker as the newly-created admin, granting complete site control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker accesses a WordPress site running a vulnerable version of the WP Maps Pro plugin (\u0026lt;= 6.1.0).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the publicly exposed \u003ccode\u003efc-call-nonce\u003c/code\u003e value within the HTML source code.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request to the \u003ccode\u003ewpgmp_temp_access_ajax\u003c/code\u003e endpoint, setting \u003ccode\u003eaction\u003c/code\u003e to \u003ccode\u003ewpgmp_temp_access_support\u003c/code\u003e and \u003ccode\u003echeck_temp\u003c/code\u003e to \u003ccode\u003efalse\u003c/code\u003e, and includes the \u003ccode\u003efc-call-nonce\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin\u0026rsquo;s code executes the \u003ccode\u003ewpgmp_temp_access_support\u003c/code\u003e handler.\u003c/li\u003e\n\u003cli\u003eThe handler bypasses checks due to the ineffective nonce validation and \u003ccode\u003echeck_temp=false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewp_insert_user()\u003c/code\u003e function creates a new WordPress user with the role of administrator.\u003c/li\u003e\n\u003cli\u003eThe plugin generates and returns a \u0026ldquo;magic login URL\u0026rdquo; specific to the newly created user.\u003c/li\u003e\n\u003cli\u003eThe attacker visits the magic login URL, triggering the \u003ccode\u003ewp_set_auth_cookie()\u003c/code\u003e function which logs them in as the administrator, granting complete control of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8732 grants an unauthenticated attacker complete administrative control over the affected WordPress site. This can lead to defacement, data theft, malware deployment, or use of the compromised website for further malicious activities. The vulnerability affects all sites using the WP Maps Pro plugin up to and including version 6.1.0, potentially impacting a large number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Maps Pro plugin to a version greater than 6.1.0 to patch CVE-2026-8732.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-8732 Exploitation Attempt via wpgmp_temp_access_ajax\u0026rdquo; to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction=wpgmp_temp_access_ajax\u003c/code\u003e and \u003ccode\u003echeck_temp=false\u003c/code\u003e parameters in the request body, as this indicates a potential exploit attempt.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T07:18:23Z","date_published":"2026-05-29T07:18:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8732-wp-maps-pro-privesc/","summary":"The WP Maps Pro plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8732), allowing unauthenticated attackers to create administrator accounts and take over vulnerable sites.","title":"CVE-2026-8732 WP Maps Pro Plugin Privilege Escalation via Administrator Account Creation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8732-wp-maps-pro-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — WP Maps Pro Plugin \u003c= 6.1.0","version":"https://jsonfeed.org/version/1.1"}