Briefing
Urgent Wordfence Blog 29 May 2026 · 20:52 security 9/10

Critical Unauthenticated Administrator Account Creation Vulnerability in WP Maps Pro (CVE-2026-8732)

security
by István Márton · WordPress Wordfence CVE-2026-8732

Patch WP Maps Pro to 6.1.1 immediately to eliminate the unauthenticated admin account creation flaw (CVE-2026-8732).

What to do now

Patch WP Maps Pro to 6.1.1 immediately; verify that the wpgmp_temp_access_ajax endpoint is no longer accessible to unauthenticated users; monitor logs for suspicious admin account creation.

Summary

WP Maps Pro, a popular WordPress plugin with over 15,000 sales, was found to allow unauthenticated attackers to create new administrator accounts via the wpgmp_temp_access_ajax endpoint. The flaw exists in all versions up to and including 6.1.0 (and earlier <=6.0.4) because the AJAX action is registered with wp_ajax_nopriv_ and protected only by a nonce that is publicly embedded in every front‑end page, rendering the check ineffective. An attacker can post a request with check_temp=false, which triggers wp_insert_user() to create a hard‑coded administrator user and returns a magic login URL that, when visited, authenticates the attacker as that user.

The vendor released patch 6.1.1 on March 24, 2026, adding a current_user_can('manage_options') capability check to the AJAX callback, restricting the endpoint to logged‑in administrators only. Wordfence issued a firewall rule on May 18, 2026 for premium users and on June 17 for free users to block exploitation attempts. Users are urged to update immediately to eliminate the critical CVE-2026-8732 vulnerability.

Key changes

  • Unauthenticated users can invoke wpgmp_temp_access_ajax to create an administrator account via a publicly exposed nonce
  • The AJAX action lacks a capability check, allowing any visitor to trigger account creation
  • Patch adds current_user_can('manage_options') to restrict the endpoint to logged‑in admins
  • The flaw creates a user with hardcoded role administrator and email [email protected], then returns a magic login URL
  • Visiting the URL authenticates the attacker as the new administrator via wp_set_auth_cookie()
  • Vulnerability present in all WP Maps Pro versions <=6.1.0 (and earlier <=6.0.4)
  • Patch version 6.1.1 released on March 24, 2026
  • Wordfence firewall rule added on May 18 for premium users and June 17 for free users

Affects

wp-customers

Customer impact

Analyzing matches…

Ask about this story

Impact on an agency? Which customers? Compare historically Risks of waiting