CVE-2026-8732
published 2026-05-29CVE-2026-8732: The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
9.46%
94.8th percentile
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flippercode | wp_maps_pro | <= 6.0.4 | — |
| xmlsoft | libxml2 | >= 0 < 2.9.13+dfsg-1ubuntu0.11 | 2.9.13+dfsg-1ubuntu0.11 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3ubuntu3.7 | 2.9.14+dfsg-1.3ubuntu3.7 |
| xmlsoft | libxml2 | >= 0 < 2.14.5+dfsg-0.2ubuntu0.1 | 2.14.5+dfsg-0.2ubuntu0.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm11 | 2.9.1+dfsg1-3ubuntu4.13+esm11 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm12 | 2.9.3+dfsg1-1ubuntu0.7+esm12 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm7 | 2.9.4+dfsg1-6.1ubuntu1.9+esm7 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.10+esm4 | 2.9.10+dfsg-5ubuntu0.20.04.10+esm4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) with action=wpgmp_temp_access_ajax and check_temp=false parameter, indicating exploitation attempts. ↗
- →Alert on new WordPress administrator account creation where the registered email address is [email protected], as this is the hardcoded value used by the exploit. ↗
- →Inspect frontend JavaScript objects (wpgmp_local) for the exposed nonce field; presence of fc-call-nonce in page source confirms the site is running a vulnerable version of WP Maps Pro (≤6.1.0). ↗
- ·The nonce (fc-call-nonce) is intentionally embedded in every public frontend page, meaning it is always available to unauthenticated attackers and cannot be treated as a secret or access control mechanism in vulnerable versions. ↗
- ·The patched version (6.1.1) restricts the endpoint to authenticated administrators only; sites still running ≤6.1.0 remain fully exploitable with no authentication required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv4.8MEDIUM
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v837-vph9-gcrq: The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6
ghsa_unreviewed·2026-05-29
CVE-2026-8732 [CRITICAL] CWE-306 GHSA-v837-vph9-gcrq: The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, cal
OSV
libxml2 vulnerabilities
osv·2026-01-22·CVSS 4.8
CVE-2025-8732 libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled maliciously crafted SGML
catalog files. An attacker could possibly use this issue to cause libxml2
to consume excessive resources, leading to a denial of service.
(CVE-2025-8732)
It was discovered that libxml2 incorrectly handled recursive include
directories with the RelaxNG parser. An attacker could possibly use this
issue to cause libxml2 to consume excessive resources, leading to a denial
of service. (CVE-2026-0989)
Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with
self-referencing URI delegates. An attacker could possibly use this issue
to cause libxml2 to consume excessive resources, leading to a denial of
service. (CVE-2026-0990)
Nick Wellnhofer discovered that libxml2 inefficiently
VulnCheck
Missing Authentication for Critical Function
vulncheck·2026·CVSS 9.8
CVE-2026-8732 [CRITICAL] Missing Authentication for Critical Function
Missing Authentication for Critical Function
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and ret
No detection rules found.
No public exploits indexed.
Hackernews
Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
blogs_hackernews·2026-06-01·CVSS 9.8
CVE-2026-8732 [CRITICAL] Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro , a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites.
WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is used as a store locator tool, making it easier for users to find nearby locations, view listing details, and get directions.
The vulnerability in question is CVE-
Hackernews
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
blogs_hackernews·2026-06-01·CVSS 7.8
CVE-2026-0257 [HIGH] ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Monday hit like a cron job with anger issues.
A busted auth path here, a repo-side faceplant there, some "patched-ish" thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought 'curl | sh' had a personality.
The vibe is simple: old bugs, new wrappers, faster abuse. Patch the obvious crap first. Then read the rest.
## ⚡ Threat of the Week
PAN-OS GlobalProtect Authenticati
Bleepingcomputer
WP Maps Pro bug exploited to create admin accounts on WordPress sites
blogs_bleepingcomputer·2026-05-31·CVSS 9.8
CVE-2026-8732 [CRITICAL] WP Maps Pro bug exploited to create admin accounts on WordPress sites
## WP Maps Pro bug exploited to create admin accounts on WordPress sites
## Bill Toulas
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication.
The vulnerability, tracked as CVE-2026-8732, has a critical severity rating and impacts WP Maps Pro versions 6.1.0 and older. It was discovered and reported by security researcher David Brown.
WP Maps Pro is a premium WordPress plugin for building interactive, customizable maps and store locators. It supports multiple map providers, such as Google Maps and OpenStreetMap.
The plugin is typically used by businesses, real estate websites, travel sites, directories, and organizations that need to display multiple locations on a map,
2026-05-29
Published
Exploited in the wild