Critical Remote Admin Creation in WP Maps Pro (CVE-2026-8732) Endangers WordPress Sites
What It Is — WP Maps Pro, a widely‑deployed WordPress store‑locator plugin, contains an unauthenticated AJAX endpoint (wpgmp_temp_access_ajax) that creates a new WordPress user with the Administrator role and returns a “magic” login URL. The flaw is assigned a CVSS 9.8, classifying it as a critical remote‑code‑execution‑style vulnerability.
Exploitability — Active exploitation has been observed; 2,858 attacks were blocked in a 24‑hour period. A public proof‑of‑concept exists and threat actors are weaponising the flaw in the wild.
Affected Products — WP Maps Pro plugin versions ≤ 6.1.0 (approximately 15 000+ WordPress sites) on any WordPress installation.
TPRM Impact — Any third‑party that relies on WP Maps Pro becomes a direct entry point for full site takeover, exposing customer data, compromising brand reputation, and potentially propagating risk to downstream SaaS or hosted services that integrate with the compromised site.
Recommended Actions —
- Upgrade immediately to WP Maps Pro 6.1.1 or later.
- Conduct a full audit of WordPress user accounts; delete any unexpected administrators.
- Block the
wpgmp_temp_access_ajaxendpoint for unauthenticated requests via a WAF or server‑side rule. - Enable multi‑factor authentication for all admin accounts and monitor logs for the “magic login URL” pattern.
- Review downstream integrations (e.g., APIs, e‑commerce platforms) for data leakage and consider temporary isolation of the affected site.
Source: https://securityaffairs.com/192977/hacking/cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password.html