15,000 WordPress Sites Affected by Administrator Account Creation Vulnerability in WP Maps Pro WordPress Plugin

On March 24th, 2026, we received a submission for an Unauthenticated Administrator Account Creation vulnerability in WP Maps Pro, a WordPress plugin with more than 15,000 sales. This vulnerability makes it possible for unauthenticated attackers to create new administrator accounts on the affected sites, leading to complete site takeover.

Props to David Brown who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,950.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 18, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on June 17, 2026.

Since we were unable to find direct contact information for the vendor, we escalated this report to the Envato security team on May 16, 2026, who then forwarded it to the vendor.

We urge users to update their sites to the latest patched version of WP Maps Pro, version 6.1.1 at the time of this publication, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-8732

Affected Version(s)
<= 6.0.4

Patched Version
6.1.1

Affected Software

WP Maps Pro [wp-google-map-gold]

Researcher

David Brown

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.

Technical Analysis

WP Maps Pro is a WordPress plugin that enables site owners to embed customizable Google Maps with markers, categories, and advanced location features. As part of its support tooling, the plugin exposes a “temporary access” feature designed to allow vendor support staff to log in to a customer’s site when troubleshooting is required.

Examining the code shows that the plugin uses the wpgmp_temp_access_ajax_callback() function in the WPGMP_Google_Maps_Pro class to handle temporary access generation.

function wpgmp_temp_access_ajax_callback(){
    check_ajax_referer( 'fc-call-nonce', 'nonce' );
    $temp_access = new WPGMP_Temp_Access();
    $response = $temp_access->wpgmp_temp_access_support();

    wp_send_json($response);

    exit();
}

Although this function is protected with a nonce check, the nonce can unfortunately be obtained by unauthenticated users. Additionally, there was no capability check in the vulnerable version. This makes it possible for unauthenticated attackers to invoke the AJAX action.

Then, the wpgmp_temp_access_support() function in the WPGMP_Temp_Access class is invoked, which then creates an administrator user.

public static function wpgmp_temp_access_support() {

	$response = array();

    if (isset($_POST['check_temp']) && $_POST['check_temp'] == 'false') {
        
        
        $username = 'fc_user_' . uniqid();;
        $email = 'support@flippercode.com';
        $role = 'administrator';

        $result = self::fc_create_new_user($username, $email, $role);

        if (is_numeric($result)) {
            update_user_meta( $result, '_wpgmp_access_token', self::generate_wpgmp_access_token( $result ) );
            $access_link = self::generate_login_link($result);
            update_user_meta( $result, '_wpgmp_access_url', $access_link );
            $response['url'] = $access_link;
        } else {
            $response['error'] = $result;
        }
    }else if( isset($_POST['check_temp']) && $_POST['check_temp'] == 'true' ){
        $user = get_user_by('email','support@flippercode.com');
		if ($user) {
		    $user_id = $user->ID;
		    if (wp_delete_user($user_id)) {
			    $meta_keys_to_delete = array('_wpgmp_access_token', '_wpgmp_access_url');

			    foreach ($meta_keys_to_delete as $meta_key) {
			        delete_user_meta($user_id, $meta_key);
			    }
			    $response['deleted'] = true;

			}

		}
        
        
    }
    return $response;
}

When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com. The function then generates a “magic login URL” using generate_login_link(), stores it as user meta, and returns it in the response body.

When the attacker visits the returned URL, the plugin calls wp_set_auth_cookie() to fully authenticate the visitor as the newly created administrator, without requiring a password or any further verification. As a result, an attacker gains full administrator-level control over the site and can install malicious plugins, modify themes, inject backdoors, exfiltrate data, or deploy webshells for persistent access.

As with all privilege escalation vulnerabilities, this can lead to complete site compromise.

The Patch

The vendor patched this issue by adding a current_user_can( 'manage_options' ) capability check to the wpgmp_temp_access_ajax_callback() function, which restricts the endpoint to authenticated administrators only:

function wpgmp_temp_access_ajax_callback(){
    // 1. Only allow logged-in administrators
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( array( 'error' => 'Unauthorized' ), 403 );
        exit();
    }
    
    check_ajax_referer( 'fc-call-nonce', 'nonce' );
    $temp_access = new WPGMP_Temp_Access();
    $response = $temp_access->wpgmp_temp_access_support();

    wp_send_json($response);

    exit();
}

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

Disclosure Timeline

March 24, 2026 – We received the submission for the Unauthenticated Administrator Account Creation vulnerability in WP Maps Pro via the Wordfence Bug Bounty Program.
May 16, 2026 – We validated the report and confirmed the proof-of-concept exploit. As we were unable to locate a direct contact for the vendor, we escalated the report to the Envato security team, who forwarded it to the vendor on our behalf.
May 18, 2026 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
May 20, 2026 – The fully patched version of the plugin, 6.1.1, was released.
June 17, 2026 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed an Unauthenticated Administrator Account Creation vulnerability within the WP Maps Pro plugin affecting all versions up to, and including, 6.1.0. This vulnerability allows unauthenticated threat actors to create new administrator accounts and gain full control of the affected site. The vulnerability has been fully addressed in version 6.1.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Maps Pro as soon as possible considering the critical nature of this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 15,000 WordPress Sites Affected by Administrator Account Creation Vulnerability in WP Maps Pro WordPress Plugin appeared first on Wordfence.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.