WP Maps Pro CVE-2026-8732

Brendan Smith
Brendan Smith - Cybersecurity Analyst
4 Min Read
WP Maps Pro CVE-2026-8732 WordPress administrator account creation risk
WP Maps Pro CVE-2026-8732 administrator takeover risk.

WP Maps Pro CVE-2026-8732 is a critical WordPress plugin flaw that can let an unauthenticated attacker create a new administrator account on sites running vulnerable versions. For a site owner, that is a takeover path, not a minor plugin bug: once a rogue admin exists, the attacker can install plugins, edit theme files, inject redirects, add web shells, or create persistence that survives a simple password reset.

The fix is WP Maps Pro 6.1.1. If your site uses the plugin for store locators, real-estate maps, travel directories, branch listings, or other map pages, update first, then audit administrator accounts and recent admin-ajax.php requests.

Who is affected

The vulnerable plugin is WP Maps Pro, also tracked in vulnerability databases as wp-google-map-gold. Versions up to and including 6.1.0 are affected. Version 6.1.1 is the patched release.

Situation Risk and what to do
WP Maps Pro 6.1.0 or older Update to 6.1.1. If you cannot update immediately, disable the plugin while you investigate exposure.
Unknown WordPress administrator account Do not stop at deleting the user. Review plugins, themes, mu-plugins, cron jobs, and files under wp-content.
Suspicious POST requests to admin-ajax.php Look for wpgmp_temp_access_ajax, wpgmp_temp_access_support, or check_temp=false in web, WAF, or CDN logs.

How the takeover works

The CVE description points to the plugin’s temporary-support access feature. The AJAX action was reachable without a logged-in WordPress session, while the nonce used as the check was exposed to frontend visitors. With that path, an attacker could invoke the support handler, force WordPress to create a user with the administrator role through wp_insert_user(), and receive a magic login URL that authenticates the new account.

The practical problem is that exploitation may leave behind ordinary-looking WordPress state. A site owner who checks only for obvious malware files can miss the first signal: a new admin account, a successful login, and later changes made with legitimate WordPress privileges.

What to check now

  1. Update WP Maps Pro to 6.1.1, or disable the plugin until the patch can be installed.
  2. Open Users -> Administrators and look for unfamiliar emails, support-style names, recently created accounts, or users nobody on the team owns.
  3. Search server, WAF, and CDN logs for POST requests to admin-ajax.php containing wpgmp_temp_access_ajax, wpgmp_temp_access_support, or check_temp=false.
  4. If a suspicious admin existed, rotate administrator passwords, invalidate sessions, revoke application passwords/API keys, and refresh WordPress salts in wp-config.php.
  5. Review installed plugins, theme files, mu-plugins, scheduled tasks, upload folders, and recently modified PHP files. If the site redirected visitors or served suspicious scripts, scan the server-side content and administrator workstations with a trusted tool such as Gridinsoft Anti-Malware and check affected domains with Gridinsoft reputation services.

FAQ

Is updating WP Maps Pro enough?

Updating to 6.1.1 closes the vulnerable path, but it does not undo an account that may already have been created. If logs or users look suspicious, treat the site as potentially compromised.

Does the attack need a WordPress password?

No. The CVE is an unauthenticated privilege-escalation issue. A valid administrator password is not required for the vulnerable account-creation path.

What is the first indicator to look for?

Start with new administrator accounts and admin-ajax.php requests around the disclosure window. Those signals are more specific than a generic malware scan alone.

References

  1. NIST National Vulnerability Database. “CVE-2026-8732 Detail.” NVD, published May 29, 2026, accessed June 1, 2026. https://nvd.nist.gov/vuln/detail/CVE-2026-8732
  2. INCIBE-CERT. “CVE-2026-8732.” INCIBE Early Warning Vulnerabilities, accessed June 1, 2026. https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2026-8732
  3. TheHackerWire. “CVE-2026-8732.” TheHackerWire Vulnerability Intelligence, accessed June 1, 2026. https://www.thehackerwire.com/vulnerability/CVE-2026-8732/

Another current WordPress plugin takeover path is Kirki CVE-2026-8206, where a vulnerable password-reset handler can send an administrator reset link to an attacker-controlled inbox.

Mirai variant “Pandora” infects Android TV for DDoS attacks.
CloudZ Malware Abuses Microsoft Phone Link to Steal OTPs
Proxyjacking: The Latest Cybercriminal Invention In Action
Fake CAPTCHA ClickFix Malware: What to Do If You Ran the Command
Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article Cracked VFX software package with a DLL warning trail, illustrating VFXmed download risk. VFXmed Virus Warning
Next Article Browser extension returns after removal because sync, policy, or startup persistence restores it. Extension Keeps Returning?
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?