WordPress site administrators woke up to fresh alerts last week. A popular premium mapping plugin carried a critical vulnerability that let anyone create a full administrator account without credentials or prior access. The flaw, now tracked as CVE-2026-8732, earned a 9.8 CVSS score. Exploitation surged immediately after disclosure.
WP Maps Pro sells on the Envato Market. More than 15,000 copies have moved. Businesses rely on it for interactive Google Maps embeds, store locators, and location directories. The plugin supports OpenStreetMap too. Its reach made the bug especially dangerous.
Security researcher David Brown found the issue. He reported it to Wordfence on March 24, 2026. Validation took time. The vendor, WePlugins, received formal notice on May 16. A patch arrived four days later in version 6.1.1, released May 20. By then attackers had already begun scanning.
The vulnerability sits inside a feature called Temporary Access. Developers built it so support staff at flippercode.com could troubleshoot customer sites without sharing passwords. The AJAX action wpgmp_temp_access_ajax registered with wp_ajax_nopriv_. That made it reachable by unauthenticated visitors. Protection relied on a nonce. But the nonce value appeared publicly in frontend JavaScript through wp_localize_script. The check offered no real barrier.
Attackers send a crafted request. They set the check_temp parameter to false. The handler calls wp_insert_user(). It creates a new account. The username starts with fc_user_ and generates randomly. The email address stays fixed at [email protected]. The role assigned is administrator. No questions asked.
Next the code generates a magic login URL. It stores the link in user meta. The response body returns that URL to the attacker. When visited, the link triggers wp_set_auth_cookie(). The attacker logs in automatically. Full site control follows. Backdoors can drop. Content changes. Databases empty. Malicious plugins install. The takeover completes in seconds.
“This vulnerability allows unauthenticated threat actors to create new administrator accounts and gain full control of the affected site,” Wordfence researchers wrote in their detailed analysis. The explanation matches exactly what Brown uncovered.
Wordfence blocked 2,858 attacks in one 24-hour period. BleepingComputer reported the number climbed past 3,600 attempts in a single day according to Defiant’s telemetry. The numbers keep rising. Automated bots scan the internet for sites still running versions 6.1.0 or older. They don’t stop.
The vendor published guidance. Site owners should update to 6.1.1 immediately. Then open the Users section in the WordPress dashboard. Look for any administrator accounts using the email [email protected]. Delete them. Review every other admin entry too. Unknown accounts require removal.
The Hacker News noted the patch adds a current_user_can(‘manage_options’) check. Only logged-in administrators can now reach the endpoint. The temporary access feature no longer exposes itself to the public internet. Simple. Effective. But only if applied.
This incident fits a larger pattern. WordPress powers more than 40 percent of the web. Plugins handle everything from maps to forms to e-commerce. Many ship with convenience features that bypass standard authentication. Nonces appear often as sufficient protection. When those nonces leak into public JavaScript objects the assumption collapses.
Brown earned a $1,950 bounty for the report. The amount reflects the severity. Complete site takeover without authentication ranks among the worst plugin flaws possible. Yet similar issues surface regularly. Last year alone saw hundreds of unauthenticated privilege escalations across the plugin directory.
Attackers don’t need zero-days anymore. They scan for known vulnerabilities with public proof-of-concept code. In this case the mechanics appeared in Wordfence’s advisory within days of the patch. The window for safe updating shrinks fast.
Organizations running WP Maps Pro face immediate risk. Real estate portals. Travel directories. Local business sites. Each depends on the plugin for core functionality. Taking it offline disrupts operations. Leaving it unpatched invites takeover. The choice feels binary.
Wordfence pushed a firewall rule for its premium customers on May 18. Free users received protection later. That timeline left thousands exposed in the gap between disclosure and full coverage. Many site owners still haven’t updated. The attack counts prove it.
Plugin developers bear responsibility too. Convenience features must never shortcut core security controls. Capability checks belong at the earliest possible point. Nonces supplement authentication. They don’t replace it. Hardcoded emails and roles in support functions invite exactly this abuse.
Site administrators carry the final load. They must track installed plugins. They must apply updates quickly. They must audit user lists after any security alert. Automated tools help. So do managed WordPress hosts that block suspicious AJAX calls at the edge.
The WP Maps Pro case offers a clear lesson. A single overlooked AJAX handler can hand the keys to thousands of sites. The attacks continue today. The patched version sits ready. Yet the gap between awareness and action remains wide. Update now. Check users next. Assume compromise until proven otherwise.
Security teams at larger enterprises already run regular plugin audits. They inventory every premium extension. They test updates in staging. Smaller operators often skip these steps. The result shows in the daily attack tallies Wordfence publishes. This vulnerability adds another line to that growing list.
WebProNews is an iEntry Publication