Vulnerability intelligence
CVE-2026-8732
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism.
CVSS Score
9.8
Critical
EPSS — Exploit Probability
0.1%
Riskier than 27% of all CVEs
Exploitation
Not in CISA KEV
No federal exploitation record
Remediation
unknown
Check vendor advisories
2 articles across 2 outlets · first covered Jun 1, 2026 · latest Jun 1, 2026
Coverage timeline
-
WP Maps Pro bug lets attackers create admin accountswww.securityweek.com · Jun 1, 2026
-
CVE-2026-8732 flaw in WP Maps Pro lets hackers add admin accountssecurityaffairs.com · Jun 1, 2026