cbcvebase.
CVE-2026-8732
published 2026-05-29

CVE-2026-8732: The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
9.46%
94.8th percentile
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.

Affected

8 ranges
VendorProductVersion rangeFixed in
flippercodewp_maps_pro<= 6.0.4
xmlsoftlibxml2>= 0 < 2.9.13+dfsg-1ubuntu0.112.9.13+dfsg-1ubuntu0.11
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.3ubuntu3.72.9.14+dfsg-1.3ubuntu3.7
xmlsoftlibxml2>= 0 < 2.14.5+dfsg-0.2ubuntu0.12.14.5+dfsg-0.2ubuntu0.1
xmlsoftlibxml2>= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm112.9.1+dfsg1-3ubuntu4.13+esm11
xmlsoftlibxml2>= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm122.9.3+dfsg1-1ubuntu0.7+esm12
xmlsoftlibxml2>= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm72.9.4+dfsg1-6.1ubuntu1.9+esm7
xmlsoftlibxml2>= 0 < 2.9.10+dfsg-5ubuntu0.20.04.10+esm42.9.10+dfsg-5ubuntu0.20.04.10+esm4

Detection & IOCsextracted from sources · hover to see the quote

otherwpgmp_temp_access_ajax
otherfc-call-nonce
othercheck_temp=false
  • Detect unauthenticated POST requests to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) with action=wpgmp_temp_access_ajax and check_temp=false parameter, indicating exploitation attempts.
  • Alert on new WordPress administrator account creation where the registered email address is [email protected], as this is the hardcoded value used by the exploit.
  • Inspect frontend JavaScript objects (wpgmp_local) for the exposed nonce field; presence of fc-call-nonce in page source confirms the site is running a vulnerable version of WP Maps Pro (≤6.1.0).
  • ·The nonce (fc-call-nonce) is intentionally embedded in every public frontend page, meaning it is always available to unauthenticated attackers and cannot be treated as a secret or access control mechanism in vulnerable versions.
  • ·The patched version (6.1.1) restricts the endpoint to authenticated administrators only; sites still running ≤6.1.0 remain fully exploitable with no authentication required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv4.8MEDIUM
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.