WP Maps Pro's support-login AJAX is minting passwordless admins

TL;DR

• CVE-2026-8732 (CVSS 9.8, Wordfence CNA) affects WP Maps Pro through 6.1.0. The NVD text names the broken surface: wpgmp_temp_access_ajax on wp_ajax_nopriv_, a fc-call-nonce value exposed on every frontend page via wp_localize_script, and a handler path with check_temp=false that calls wp_insert_user() as administrator then returns a magic login URL that runs wp_set_auth_cookie().
• 6.1.1 (released 2026-05-20 per vendor timeline in public reporting) adds a real capability gate. Defiant told SecurityWeek it blocked more than 1,700 exploitation attempts in the prior 24 hours as mass scanning hit the endpoint.
• If you run this CodeCanyon plugin, update or deactivate today, then audit WordPress users for unexpected administrators and emails like support@flippercode.com.

Support tooling registered like a public API

WP Maps Pro is a commercial maps and store-locator plugin (Envato/CodeCanyon distribution, on the order of 15,000+ sales in public write-ups). Flipper Code added a temporary access flow so support could log into customer sites. That is a normal product idea; the implementation treated WordPress hooks like a private RPC.

Two design choices combine into a one-request takeover:

1. wp_ajax_nopriv_ registration. The temp-access callback is reachable without logging into WordPress at all. Nonces in WordPress are not a substitute for authentication when the action is explicitly unauthenticated.
2. Nonce delivered to every visitor. The plugin exposes fc-call-nonce to all frontend pages inside the wpgmp_local JavaScript object. Any bot that can load / can scrape a valid nonce, then POST to admin-ajax.php with action=wpgmp_temp_access_ajax and check_temp=false.

With check_temp=false, public reporting (summarized by BleepingComputer on 2026-05-31 and SecurityWeek) says the plugin creates a user via wp_insert_user() with role administrator, hardcoded email support@flippercode.com, random fc_user_* username, builds a magic login link, and returns it in the HTTP body. Visiting the link authenticates the attacker without a password.

That is not a subtle privilege bug; it is a remote admin factory.

Timeline: patch before public detail, exploitation after

The coordination window matters for defenders even though it does not shrink the fix:

• 2026-03-24: Wordfence Bug Bounty submission (public timelines in malware.news summary of Wordfence's post).
• 2026-05-20: 6.1.1 shipped with current_user_can('administrator') (or equivalent manage-capability check in vendor text) before the handler runs.
• 2026-05-29: NVD published Wordfence's description.
• Late May / early June 2026: Defiant/WAF telemetry shows thousands of blocked attempts per day as scanners weaponize the public write-up.

Premium Wordfence customers got firewall coverage 2026-05-18 in the same timeline; free-tier rules were scheduled later (2026-06-17 in the malware.news mirror). CodeCanyon customers who do not run Wordfence only have the plugin update.

What to run on affected stacks

Concrete checks, not generic "harden WordPress" advice:

1. Inventory. Search Composer deployments, managed WordPress panels, and theme bundles for wp-google-map-plugin / WP Maps Pro paths. This is not in the wordpress.org plugin directory; absence from core site scans is not evidence you are clean.
2. Version. Require ≥ 6.1.1. If you cannot patch immediately, deactivate the plugin; the vulnerable AJAX action should not stay reachable.
3. Compromise hunt. In Users, look for new administrators, especially @flippercode.com email or fc_user_* prefixes. Review recently installed plugins, theme edits, and wp_options autoload bloat. Rotate salts and force password resets if you find a rogue admin created during the exposure window.
4. Edge log. grep CDN or origin logs for admin-ajax.php POSTs with wpgmp_temp_access_ajax from unexpected ASNs; that pattern is louder than generic xmlrpc.php noise.

Sources

• NVD: CVE-2026-8732 (CVE text, CVSS 9.8, affected ≤ 6.1.0)
• SecurityWeek: WP Maps Pro vulnerability exploited (Defiant telemetry, 1,700+ blocks / 24h)
• BleepingComputer: WP Maps Pro bug exploited (2026-05-31)
• malware.news mirror of Wordfence disclosure timeline
• WP Maps Pro on CodeCanyon (product listing referenced by NVD)