[CIVN-2026-0299] Privilege Escalation Vulnerability in WP Maps Pro plugin for WordPress
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Privilege Escalation Vulnerability in WP Maps Pro plugin for WordPress
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: CRITICAL
Software Affected
WP Maps Pro plugin for WordPress versions prior to 6.1.1.
Overview
A vulnerability has been reported in WP Maps Pro plugin for WordPress, which could allow a remote attacker to gain elevated privileges on the targeted system.
Target Audience:
All end-user organizations and individuals using WP Maps Pro plugin for WordPress.
Risk Assessment:
High risk of Privilege escalation.
Impact Assessment:
Potential for full site compromise via unauthorized administrator access and Authentication bypass.
Description
WP Maps Pro is a WordPress plugin used for creating interactive maps and location-based services.
The vulnerability exists in WP Maps Pro plugin is due to improper access control in the wpgmp_temp_access_ajax AJAX action, which is exposed to unauthenticated users via wp_ajax_nopriv_ and relies only on a publicly accessible nonce (fc-call-nonce). This weak protection allows attackers to bypass authentication and invoke the wpgmp_temp_access_support function, leading to unauthorized administrator account creation and full site compromise.
Successful exploitation of this vulnerability could allow the attacker to gain elevated privileges on the targeted system.
Solution
Apply appropriate fix/patches as mentioned:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-map-gold/wp-maps-pro-610-unauthenticated-privilege-escalation-via-administrator-account-creation-to-wpgmp-temp-access-ajax-ajax-action
Vendor Information
WordPress
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-map-gold/wp-maps-pro-610-unauthenticated-privilege-escalation-via-administrator-account-creation-to-wpgmp-temp-access-ajax-ajax-action
References
WordPress
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-map-gold/wp-maps-pro-610-unauthenticated-privilege-escalation-via-administrator-account-creation-to-wpgmp-temp-access-ajax-ajax-action
CVE Name
CVE-2026-8732
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmopfcUACgkQ3jCgcSdc
ys/X7w/6A+Oq2rsl1NDfiucrAUxdQbcJMUtOWBz6PPYpvNxO2KAFy32+uc2Ocht5
JQE+2FFOS+cUQCP0oE6DCLKMrngyCKkhxuBNsqAaus12f0QpkS/Eeb1AJcCyOniW
JgClHDbA7Vth1gN443bLIAwEDmv5x7IE6vrfs2i13gWdK6JDCIw2yQkS88PQ/zs7
UKflIk9JBVSfA8sQozOFHFMqdBfHx5sWYUWzrwqUwjp5+4aSEdu0jgpJNRJkUJR+
4fWXCZwJz9FIFhtaxOpEVVy+w5bf5u0eXIIAt34M0eaFHE/E6+QQ+weLtDmWqyyc
ttBZdzDEUugW227i6p4dFeqZyY/odhyCm5yYnLRDWdRGTrLcIq5tm0jr/XB89TOp
hTDAgmYv24B8ZwM0d9N68F9jEQYOwR9QDQuZo2eUkZCAPW23rMqNIOyYy/BEaUS3
pB2ehJtuMKR4IIGgasPjlNGbasivQILvMvCBfOQx+LSrH1bN5fScZ0j4qxgeDx3H
A8HwiP9tTJoN6J8LtV5PBJSbH+XIvDVOSLM+5YeGMYaNUmEUIS2ZeW9PHzkhmN0l
02mOZtCPl2f0pQVTYMT3SA7F21reZKRwLgY5YWtyNBfTKp5uVTN2UA+fNLMk8fcw
+Azsf1eHGwKbSDR6FPXiitAAANIkSLO0E08rDy9+3gfXA+pJXw0=
=ZuYl
—–END PGP SIGNATURE—–
