EXECUTIVE SUMMARY:
CVE-2026-8732 with a CVSS score of 9.8 is a critical unauthenticated privilege‑escalation flaw in the WP Maps Pro WordPress plugin affecting versions prior to 6.1.1. The vulnerability resides in the wpgmp_temp_access_ajax_callback() endpoint, which processes a temporary‑access feature intended for vendor support but fails to verify the caller’s capabilities; although a nonce is required, the token can be retrieved by any external visitor, allowing the attacker to invoke the endpoint without authentication. By sending a crafted AJAX request to this endpoint, the attacker can cause the plugin to insert a new administrator user into the WordPress database and receive a secret login URL that bypasses the normal password‑based authentication flow. Once logged in, the adversary obtains full control of the site, enabling the installation of malicious plugins, defacement, data exfiltration, or further lateral movement within the hosting environment. Exploitation requires only public internet access to the vulnerable site and the ability to obtain a valid nonce, both of which are trivial for automated bots, making the risk high for any site running the affected plugin versions.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-8732 with a CVSS score of 9.8 is a critical unauthenticated privilege‑escalation flaw in the WP Maps Pro WordPress plugin affecting versions prior to 6.1.1. The vulnerability resides in the wpgmp_temp_access_ajax_callback() endpoint, which processes a temporary‑access feature intended for vendor support but fails to verify the caller’s capabilities; although a nonce is required, the token can be retrieved by any external visitor, allowing the attacker to invoke the endpoint without authentication. By sending a crafted AJAX request to this endpoint, the attacker can cause the plugin to insert a new administrator user into the WordPress database and receive a secret login URL that bypasses the normal password‑based authentication flow. Once logged in, the adversary obtains full control of the site, enabling the installation of malicious plugins, defacement, data exfiltration, or further lateral movement within the hosting environment. Exploitation requires only public internet access to the vulnerable site and the ability to obtain a valid nonce, both of which are trivial for automated bots, making the risk high for any site running the affected plugin versions.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/wp-maps-pro-vulnerability-exploited/