CRITICAL: WP Maps Pro Bug (CVE-2026-8732) Spawns Admin Accounts on 15,000 WordPress Sites

Every WordPress plugin auditor's worst nightmare is the helpful little feature buried three layers deep that nobody on the marketing page ever mentions. WP Maps Pro just delivered exactly that. CVE-2026-8732 is a CVSS 9.8 unauthenticated administrator account creation bug in the popular mapping plugin sold to roughly 15,800 customers through Envato Market, and Wordfence saw 2,858 exploitation attempts in a single twenty-four-hour window after disclosure. Defiant put the same window at more than 3,600 blocked attempts. The plugin author shipped version 6.1.1 on May 20 to close the hole, and the entire WordPress security ecosystem has spent the last ten days watching attackers spray the endpoint at anything that smells like a real estate site, a small business map, or a tourism page.

The mechanics deserve a moment of appreciation, because this is the kind of bug that gets written on a Friday afternoon when the support team asks for a quick way to log into a customer site to fix something. WP Maps Pro shipped a feature called "temporary access" that was meant to let support staff at the vendor authenticate into a customer's WordPress install without the customer having to share a password. The implementation registers an AJAX action called wpgmp_temp_access_ajax under WordPress's wp_ajax_nopriv_ hook, which is the hook that explicitly fires for unauthenticated users. That alone is not fatal. The fatal part is that the only thing standing between an internet visitor and the support function is a nonce called fc-call-nonce, which the plugin helpfully publishes to every page via wp_localize_script. In other words, the gate to the back door is locked, but the key is taped to the front door at eye level.

When an attacker fires a crafted POST request at admin-ajax.php with the action wpgmp_temp_access_ajax and the parameter check_temp set to false, the function wpgmp_temp_access_support runs unconditionally. It calls wp_insert_user with a randomly generated username and the hardcoded vendor email address support@flippercode.com, assigns the administrator role, and then calls a helper named generate_login_link to mint a passwordless "magic login URL" stored in user meta. The attacker hits that magic URL, WordPress treats them as the newly minted admin, and the site is no longer the customer's site. There is no exploit primitive to craft, no memory corruption to wrangle, just a feature working exactly as written.

Researcher David Brown reported the bug to Wordfence on March 24 of this year. Wordfence validated the issue and notified Flippercode, the plugin vendor, on May 16. The patched 6.1.1 release dropped on May 20. Within twenty-four hours of public disclosure, the Wordfence Threat Intelligence team logged 2,858 distinct exploitation attempts and Defiant's WAF customers saw more than 3,600 blocks. By the time the Memorial Day weekend was over, the offending nonce was being scraped, spent, and weaponized by at least two distinct opportunistic clusters. Welcome to modern WordPress security, where the speed of mass exploitation is now measured in hours after a patch lands.

WP Maps Pro is a commercial plugin distributed primarily through Envato's CodeCanyon marketplace rather than the wordpress.org repository, which complicates remediation in ways that matter for anyone running a fleet of customer sites. Envato customers have to log into their Envato account, navigate to their downloads, pull the latest zip, and either install through the WordPress admin or push the files manually. There is no automatic update path through the standard WordPress plugin updater for most paid Envato extensions unless the publisher has bolted on a custom updater that talks to Envato's API. That means a lot of installations are sitting on 6.1.0 and earlier with no clean self-service patch path, and the typical small business owner has no idea what an Envato API key even is.

The defacto user base for this plugin is exactly the demographic that does not have a security team. WP Maps Pro shows up most often on real estate sites that need property maps, tourism and hospitality pages that show locations of properties or attractions, retail microsites with store locators, and small professional services firms with a single office pin on a contact page. None of those organizations are likely to have a vulnerability scanner pointed at their public surface, and none of them are likely to have a SIEM ingesting WordPress audit logs. They will, however, have a contract with an MSP, an agency, or a marketing services provider who is the first phone call when the site starts redirecting to a malware download or when the homepage suddenly hosts a Google AdSense scrape farm in English, Russian, and Hindi.

Detection on a vulnerable site is almost embarrassingly easy if anyone is watching. The exploit produces an administrator account with an email address of support@flippercode.com and a randomly generated username. Run a wp user list, filter by role administrator, and look for any account whose email matches that string. If you have not personally invited the vendor to support your site in the last two weeks, that account does not belong there. Pair that with an Apache or Nginx access log search for POST requests to admin-ajax.php that include the string action=wpgmp_temp_access_ajax along with check_temp=false. Either signal individually is a smoking gun, and the combination is open-and-shut compromise. Wordfence, Sucuri, Patchstack, and most other WordPress security plugins have shipped detection rules in the last week, so the easiest path forward is to install one if the site does not already have it and let the scanner do the inventory work.

Cleanup is more invasive than the typical plugin update because by the time you read this, any site that has been popped probably already has additional persistence dropped on top of the rogue admin account. Standard procedure looks like this in order. Take the site offline or put it behind maintenance mode. Update WP Maps Pro to 6.1.1, or remove the plugin entirely if the maps feature is no longer in active use. Delete any administrator accounts with the support@flippercode.com email address that you did not personally create. Force a password reset for every legitimate administrator and editor. Inspect wp-content/plugins and wp-content/mu-plugins for any plugin folder you do not recognize, with particular attention to anything containing a base64_decode or eval call near the top of the main PHP file. Replace WordPress core files from a fresh install zip to overwrite any tampered source. Rotate the WordPress salts in wp-config.php so that any stored session cookies become useless. If the site stores customer PII or processes payments, treat the incident as a reportable breach until proven otherwise, because the attacker had administrator access to the database and could have exfiltrated any of it.

There is a broader lesson here for anyone responsible for a WordPress fleet, which is that the Envato distribution channel deserves its own asset inventory and patch process distinct from the regular wordpress.org plugin tracking. Envato plugins do not show up in wp-cli's vulnerability scans unless you configure a specific data source, do not auto-update through the WordPress UI by default, and tend to attract single-vendor implementations of common features like maps, sliders, and form builders that are exactly the kinds of components attackers love to find buried on otherwise legitimate sites. Building a quarterly review of every Envato or commercial plugin under management, with the version installed, the latest available version, and the latest known CVE, is the only way to avoid being on the wrong end of the next CVE-2026-8732.

For MSPs and managed WordPress hosts, this is a customer outreach opportunity disguised as an emergency. Pull every WordPress site under management, query each one for the wp-maps-pro plugin folder, and split the list into patched and unpatched. Send a templated note to every customer in the unpatched column that explains the issue, names the steps you have already taken on their behalf, and includes a soft pitch for a recurring managed plugin update and security monitoring tier. Customers who said no to that tier six months ago will frequently reconsider when they read the words "fifteen thousand sites at risk" in a vendor advisory. For agencies that build a lot of real estate or tourism sites with this particular plugin, consider standardizing on an alternative like WP Google Maps or one of the wordpress.org repository options that benefits from the official auto-update channel. Standardization reduces fleet variance, which reduces the surface you need to patch and the number of vendor portals you need to maintain accounts on. That is operational discipline you can charge for.