WP Maps Pro Flaw Creates Admin Accounts — 15K Sites at Risk

Attackers are actively exploiting a critical vulnerability in WP Maps Pro that allows anyone to create administrator accounts on WordPress sites without authentication. The flaw, tracked as CVE-2026-8732, carries a CVSS score of 9.8 and affects all versions through 6.1.0.

Wordfence's firewall blocked over 3,600 exploitation attempts in just 24 hours following public disclosure. With roughly 15,000 WordPress installations running the plugin, site owners need to update immediately.

How the Attack Works

WP Maps Pro includes a "temporary access" feature designed to let support staff troubleshoot customer sites. The implementation went catastrophically wrong.

The plugin registers an AJAX endpoint through the wpgmp_temp_access_ajax_callback() function that handles temporary access requests. Two fundamental security mistakes make exploitation trivial:

First, the endpoint is registered with wp_ajax_nopriv_, meaning unauthenticated users can call it. Second, the nonce protecting the endpoint gets exposed in frontend JavaScript through wp_localize_script. Attackers can simply grab the nonce from any page and use it to authenticate their malicious requests.

When an attacker sends a request with check_temp set to false, the function creates a new WordPress user with a randomly generated username starting with fc_user_ and assigns the administrator role. The function then generates a passwordless "magic login URL" and sends it to a hardcoded email address: [email protected].

"The function relies solely on a publicly exposed nonce check in frontend JavaScript, rendering protection ineffective," Wordfence researchers explained. "Unauthenticated attackers can invoke the handler and create administrator accounts with full site access."

Why Temporary Access Features Fail

This vulnerability follows a pattern we've seen repeatedly in WordPress plugins. Developers create backdoor mechanisms for legitimate support purposes, then fail to secure them properly. Similar issues have affected other plugins—the ACF Extended admin takeover vulnerability from January allowed the same unauthenticated privilege escalation through a different mechanism.

The WP Maps Pro flaw is worse because it's a deliberate support backdoor rather than an implementation bug. The code intentionally creates admin accounts and sends login links to a hardcoded email. Someone at FlipperCode either didn't consider attackers could abuse this, or actively designed insecure code.

Timeline and Disclosure

Security researcher David Brown discovered the vulnerability and reported it through Wordfence's Bug Bounty Program on March 24, 2026. He received a $1,950 bounty for the find.

Wordfence validated the exploit on May 16 and contacted FlipperCode through the Envato security team after failing to locate direct vendor contact information. The developer released version 6.1.1 with a patch on May 20.

The fix adds proper capability checks to the AJAX action, restricting the endpoint to authenticated administrators only. The temporary access feature now works as intended—only admins can generate support access links.

Affected Sites and Scope

WP Maps Pro has accumulated over 15,800 sales on Envato Market since launch. The plugin lets site owners embed Google Maps with custom markers, routes, and location data. Many e-commerce sites, business directories, and local service providers use it to display store locations or delivery zones.

Active exploitation means attackers aren't waiting. Any site running version 6.1.0 or earlier should assume it's being targeted. Once an attacker creates an admin account, they control everything: user data, payment information, database credentials, and the ability to inject malware into pages.

CMS plugin vulnerabilities have been a persistent problem this year. Just yesterday we covered a critical template injection flaw in Formie affecting Craft CMS sites—another case of plugin code creating unexpected attack surface.

What To Do Now

Update to WP Maps Pro 6.1.1 immediately. If you can't update right now, deactivate the plugin until you can.

After updating, audit your WordPress user list for suspicious accounts. Look for usernames starting with fc_user_ followed by random characters—these are created by the exploit. Delete any accounts you don't recognize and check your admin activity logs for unauthorized access.

Consider running a malware scan on your WordPress installation. Attackers who gained admin access may have installed backdoors or modified core files to maintain persistence even after you patch—similar to how the EKZ infostealer campaign deployed persistent malware through compromised admin panels.

If you're running a business-critical WordPress site, this incident is a reminder that premium plugins from marketplaces like Envato don't guarantee security. The $59 plugin license doesn't include a security audit. Treat every third-party plugin as potential attack surface and keep an inventory of what's running on your sites.

For ongoing WordPress security news and vulnerability tracking, check our hacking news coverage.