CVE-2026-8732: WP Maps Pro Support Feature Allows Unauthenticated Admin Account Creation
A missing authentication flaw in WP Maps Pro's vendor support feature allows any unauthenticated attacker to create a WordPress administrator account with a single HTTP request. CVSS 9.8, confirmed active exploitation, 15,800+ installs.
CVE-2026-8732 is a missing authentication vulnerability in WP Maps Pro, a commercial WordPress mapping plugin sold through Envato Market with over 15,800 sales. All versions up to and including 6.1.0 are affected. The vulnerability carries a CVSS score of 9.8. Active exploitation was confirmed within days of the May 29 disclosure.
The root cause is a vendor support feature called temporary access, designed to allow WP Maps Pro's own staff to log into customer sites for troubleshooting. The feature is implemented as an AJAX action — wpgmp_temp_access_ajax — registered with WordPress's wp_ajax_nopriv_ hook, which makes it accessible to unauthenticated requests. Its only protection is a nonce check. That nonce is embedded in the HTML source of every frontend page running the plugin, delivered via wp_localize_script and visible to any visitor. An attacker retrieves it with a single page request.
With the nonce in hand, a crafted POST request to the endpoint — with the check_temp parameter set to false — triggers the full attack chain: WordPress creates a new user, assigns it the administrator role, generates a passwordless login URL for that account, and sends the URL to a remote system specified by the attacker. The attacker visits the URL and is authenticated as administrator. No credentials, no interaction from any site user, and no further steps are required.
The vulnerability was discovered by security researcher David Brown. It is classified CWE-306 — Missing Authentication for Critical Function. Attack vector is network, complexity is low, privileges required are none, and user interaction is none. The practical consequence is full site takeover from a single unauthenticated HTTP request.
WP Maps Pro's commercial distribution through Envato Market rather than the WordPress.org plugin directory is a compounding factor. Free plugins hosted on WordPress.org push update notifications through the standard WordPress dashboard mechanism automatically. Commercial plugins do not unless the site operator has installed the Envato Market connector plugin. A significant portion of the 15,800-strong install base may not have received an update notification, and automated scanning of the install base has been observed.
The patched version is 6.1.1, available through Envato Market. Sites that cannot update immediately should disable the plugin entirely — an inactive plugin cannot serve the vulnerable endpoint. After patching, administrators should audit the WordPress user list for unrecognized administrator accounts, particularly any created after May 29. Rogue admin accounts should be treated as indicators of full site compromise, not isolated incidents.