How is CVE-2026-8732 exploited?

Network reachability (required): The attacker only needs to reach the WordPress site's admin-ajax.php endpoint over the network, which is typically internet-facing. Authentication (not-required): The AJAX action is registered with wp_ajax_nopriv_, so no WordPress account or session is needed. Victim interaction (not-required): The attacker drives the entire flow by calling the AJAX endpoint and visiting the returned magic login URL directly. Attack complexity (info): The exploit is reliable and condition-free: the nonce is published in page source and the handler unconditionally creates an administrator.

What is the impact of CVE-2026-8732?

Creates a new WordPress user with the administrator role via wp_insert_user(), giving the attacker a persistent privileged account. Returns a magic login URL that calls wp_set_auth_cookie(), letting the attacker authenticate as that administrator without a password. Enables full read of site content, user data, and stored secrets, plus modification of posts, plugins, themes, and options. Allows arbitrary plugin or theme upload, which is a standard path to remote code execution on the WordPress host.

Back to search

CRITICALCVE-2026-8732Published 2026-05-29Modified 2026-05-29CNA Wordfence

CVE-2026-8732: WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action

Q: What is CVE-2026-8732?

Unauthenticated privilege escalation in the WP Maps Pro WordPress plugin (versions up to and including 6.1.0). The flaw reaches the wpgmp_temp_access_ajax AJAX action over the network without authentication; the nonce gating the handler is published on every frontend page via wp_localize_script, so it provides no real access control. Successful exploitation creates a new administrator account through wp_insert_user() and returns a magic login URL that issues a full auth cookie, resulting in complete site takeover. No upstream fix is published yet; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-8732 patched?

No upstream fix is published for WP Maps Pro at this time. HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment flippercode ships a fixed release; environments with auto-remediation enabled will then get a rebuild, regression-test run, and PR opened against affected workloads automatically.

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Unauthenticated privilege escalation in the WP Maps Pro WordPress plugin (versions up to and including 6.1.0). The flaw reaches the wpgmp_temp_access_ajax AJAX action over the network without authentication; the nonce gating the handler is published on every frontend page via wp_localize_script, so it provides no real access control. Successful exploitation creates a new administrator account through wp_insert_user() and returns a magic login URL that issues a full auth cookie, resulting in complete site takeover. No upstream fix is published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against WordPress images and plugin layers in customer registries and pipelines. Coverage extends to custom-built images that bundle WP Maps Pro, including derivatives and internal forks.

Available

Triage

Triage is available with the CVSS v3.1 score of 9.8 (Critical) carried through and re-weighted by each customer's compliance policy, so internet-exposed WordPress workloads escalate ahead of isolated ones. Findings route to the security or platform inbox configured inside each customer organization.

Available

Patch

No upstream fix is published for WP Maps Pro at this time. HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment flippercode ships a fixed release; environments with auto-remediation enabled will then get a rebuild, regression-test run, and PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker only needs to reach the WordPress site's admin-ajax.php endpoint over the network, which is typically internet-facing.
AuthenticationNot required
The AJAX action is registered with wp_ajax_nopriv_, so no WordPress account or session is needed.
Victim interactionNot required
The attacker drives the entire flow by calling the AJAX endpoint and visiting the returned magic login URL directly.
Attack complexityDetail
The exploit is reliable and condition-free: the nonce is published in page source and the handler unconditionally creates an administrator.

Blast Radius

Creates a new WordPress user with the administrator role via wp_insert_user(), giving the attacker a persistent privileged account.
Returns a magic login URL that calls wp_set_auth_cookie(), letting the attacker authenticate as that administrator without a password.
Enables full read of site content, user data, and stored secrets, plus modification of posts, plugins, themes, and options.
Allows arbitrary plugin or theme upload, which is a standard path to remote code execution on the WordPress host.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the WP Maps Pro advisory and matching against any image that ships the plugin, including custom WordPress builds. Until flippercode publishes a fix, recommended compensating controls include blocking unauthenticated POSTs to admin-ajax.php with action=wpgmp_temp_access_ajax at the WAF or reverse proxy, restricting the plugin's frontend exposure via network policy, and auditing wp_users for unexpected administrator accounts and recent wp_insert_user activity. The moment an upstream patched release lands, a rebuilt image at the fix version becomes available on HarborGuard, and environments with auto-remediation enabled get a rebuild, regression run, and PR opened against affected workloads automatically.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

flippercode / WP Maps Pro
≤ 6.0.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References