WP Maps Pro Plugin <= 6.1.0 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/wp-maps-pro-plugin--6.1.0/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 29 May 2026 07:18:23 +0000CVE-2026-8732 WP Maps Pro Plugin Privilege Escalation via Administrator Account Creationhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-8732-wp-maps-pro-privesc/Fri, 29 May 2026 07:18:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-8732-wp-maps-pro-privesc/The WP Maps Pro plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8732), allowing unauthenticated attackers to create administrator accounts and take over vulnerable sites.The WP Maps Pro plugin, in versions up to and including 6.1.0, contains a privilege escalation vulnerability (CVE-2026-8732) exploitable by unauthenticated attackers. The vulnerability stems from the wpgmp_temp_access_ajax AJAX action, intended for temporary access support, which is inadequately protected. The nonce check, meant to restrict access, relies on the fc-call-nonce which is publicly exposed on every frontend page. This renders the nonce check ineffective, enabling unauthorized users to invoke the wpgmp_temp_access_support handler. The check_temp=false parameter bypasses intended checks, leading to the unconditional creation of a new WordPress administrator account via the wp_insert_user() function. The plugin then returns a magic login URL that, when visited, calls wp_set_auth_cookie() to authenticate the attacker as the newly-created admin, granting complete site control.

Attack Chain

  1. The attacker accesses a WordPress site running a vulnerable version of the WP Maps Pro plugin (<= 6.1.0).
  2. The attacker identifies the publicly exposed fc-call-nonce value within the HTML source code.
  3. The attacker crafts a malicious AJAX request to the wpgmp_temp_access_ajax endpoint, setting action to wpgmp_temp_access_support and check_temp to false, and includes the fc-call-nonce value.
  4. The vulnerable plugin’s code executes the wpgmp_temp_access_support handler.
  5. The handler bypasses checks due to the ineffective nonce validation and check_temp=false.
  6. The wp_insert_user() function creates a new WordPress user with the role of administrator.
  7. The plugin generates and returns a “magic login URL” specific to the newly created user.
  8. The attacker visits the magic login URL, triggering the wp_set_auth_cookie() function which logs them in as the administrator, granting complete control of the WordPress site.

Impact

Successful exploitation of CVE-2026-8732 grants an unauthenticated attacker complete administrative control over the affected WordPress site. This can lead to defacement, data theft, malware deployment, or use of the compromised website for further malicious activities. The vulnerability affects all sites using the WP Maps Pro plugin up to and including version 6.1.0, potentially impacting a large number of websites.

Recommendation

  • Upgrade the WP Maps Pro plugin to a version greater than 6.1.0 to patch CVE-2026-8732.
  • Deploy the Sigma rule “Detect CVE-2026-8732 Exploitation Attempt via wpgmp_temp_access_ajax” to detect attempts to exploit this vulnerability.
  • Monitor web server logs for POST requests to /wp-admin/admin-ajax.php with the action=wpgmp_temp_access_ajax and check_temp=false parameters in the request body, as this indicates a potential exploit attempt.
]]>criticaladvisoryprivilege-escalationwordpresspluginCVE-2026-8732