OFFSITE.DARK
← Signals

May 30, 2026

2 min

Sploitus

  • wordpress
  • privilege-escalation
  • cve
  • plugin
  • auth-bypass

news

WP Maps Pro Unauthenticated Admin Creation (CVE-2026-8732)

Sploitus mass-scanner PoCs abuse wpgmp_temp_access_ajax with public fc-call-nonce to create administrator accounts.

Summary

CVE-2026-8732 is a critical unauthenticated privilege escalation in the WP Maps Pro (wp-google-map-gold) WordPress plugin (versions ≤ 6.1.0). The wpgmp_temp_access_ajax action is registered with wp_ajax_nopriv_ and gated only by the fc-call-nonce value — which is publicly embedded on every frontend page via wp_localize_script as wpgmp_local.nonce. Attackers invoke the handler with check_temp=false to create a hardcoded administrator user and receive a magic login URL that calls wp_set_auth_cookie(). Multiple automated mass-scanners are indexed on Sploitus. CVSS 9.8.

OFFSITE.DARK cites Sploitus as index source only.

Technical Details

AspectDetail
CVECVE-2026-8732
ComponentWP Maps Pro plugin
Affected≤ 6.1.0
Patched6.1.1
PrimitiveMissing authentication on critical AJAX → wp_insert_user() as admin
Nonce exposurefc-call-nonce in wpgmp_local on all public pages
CWEMissing Authentication for Critical Function

Indexed attack chain:

GET target homepage → extract wpgmp_local nonce
        │
        ▼
POST admin-ajax.php action=wpgmp_temp_access_ajax (check_temp=false)
        │
        ▼
Plugin creates administrator via wp_insert_user()
        │
        ▼
Follow magic URL → wp_set_auth_cookie() → full admin session

Some indexed tooling adds persistent backdoor phases and mass-scan orchestration.

CVE

FieldValue
CVECVE-2026-8732
CVSS9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ResearcherDavid Brown (Wordfence)
Published2026-05-28
Sploitus date2026-05-30

Impact

Complete site takeover without credentials — among the highest-impact WordPress plugin flaw classes. Mass-scan PoCs on Sploitus increase likelihood of wide internet probing against sites running WP Maps Pro with GOLD addon features enabled.

Mitigation

  1. Update WP Maps Pro to 6.1.1+ immediately.
  2. Deactivate the plugin if patching is delayed.
  3. Audit administrator accounts and remove unknown admins; rotate all admin passwords and security salts if compromise suspected.
  4. WAF rule: block unauthenticated action=wpgmp_temp_access_ajax POSTs.
  5. Monitor for spikes in admin-ajax.php traffic with wpgmp_temp_access parameters.

Sources

→ Source