Description
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
Published: 2026-05-29
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Maps Pro up to version 6.1.0 contains an authentication bypass that allows an attacker to create an administrator user without any credentials. The flaw originates from the wpgmp_temp_access_ajax AJAX action, which is registered for unauthenticated access and only checks a nonce that is publicly revealed in every front‑end page. Because the check is ineffective, a request can trigger the wp_insert_user() call with a hard‑coded administrator role and the plugin then returns a magic login URL that, when visited, logs the attacker in as that new user. This is a classic example of CWE‑306, missing authentication. The direct consequence is total control of the WordPress site, including all content, settings, and other user accounts.

Affected Systems

All installations of WP Maps Pro, version 6.1.0 or older, are affected. Users who have not applied the latest patch or upgraded past 6.1.0 are at risk of unauthenticated privilege escalation.

Risk and Exploitability

The CVSS score of 9.8 reflects critical severity, with a full impact on confidentiality, integrity, and availability of the WordPress instance. While no EPSS score is available, the lack of a KEV listing indicates no widespread exploitation has been reported yet. The weakest point is a public AJAX endpoint; any visitor can send the malicious request, making the vulnerability trivial to exploit if the attacker discovers it. The attack requires no credentials and requires only a crafted HTTP POST to the vulnerable endpoint, after which the attacker obtains full administrator access immediately.

Generated by OpenCVE AI on May 29, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Maps Pro plugin to the latest version that removes the vulnerable AJAX endpoint or corrects the access control so that only authenticated users can create accounts.
  • Revoke or regenerate all nonces, secret keys, and public scripts used by the plugin; remove the wp_ajax_nopriv_ registration for the wpgmp_temp_access_ajax action so that the endpoint is no longer accessible without proper authentication.
  • Inspect all WordPress accounts to ensure no unauthorized administrator users exist; permanently delete any newly created accounts that were not authorized by legitimate site owners.

Generated by OpenCVE AI on May 29, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Flippercode
Flippercode wp Maps Pro
Wordpress
Wordpress wordpress
Vendors & Products Flippercode
Flippercode wp Maps Pro
Wordpress
Wordpress wordpress

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
Title WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Flippercode Wp Maps Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:06:56.863Z

Reserved: 2026-05-16T10:10:10.883Z

Link: CVE-2026-8732

cve-icon Vulnrichment

Updated: 2026-05-29T10:06:52.296Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T07:16:14.487

Modified: 2026-05-29T13:09:05.450

Link: CVE-2026-8732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:34Z

Weaknesses