WP Maps Pro: Backdoor by Design and Full Admin Takeover

One request. No authentication. No password. And the attacker is admin of your WordPress. CVE-2026-8732 in WP Maps Pro is not a subtle flaw — it is a feature that hands administrator credentials to any visitor who asks. CVSS 9.8. Active exploitation. Wordfence blocked 3,600 attacks in 24 hours. Over 15,800 sites with the plugin installed.

The backdoor that called itself "temporary access"

WP Maps Pro is a commercial Google Maps plugin sold on Envato. It has a feature called "temporary access" — supposedly to let the vendor's support team access the client's site. The problem: this feature is a backdoor by design.

The handler wpgmp_temp_access_ajax was registered with wp_ajax_nopriv_ — the WordPress hook for endpoints that require no authentication. The only protection is a nonce (fc-call-nonce) embedded in the JavaScript that the plugin injects into every public page. Any visitor who loads any page on the site can read the nonce in the source code.

This is not a bypass. It is the feature's intentional design. The handler was placed on the nopriv hook deliberately — to work without the visitor being logged in. The feature was not compromised by an attacker who found an unintended path. It was built to do exactly what it does: issue admin credentials via a public endpoint.

The attack chain: one request, one click, full takeover

Exploitation is trivial. No complex exploit, no advanced technical knowledge required. Five steps, all automatable:

1. Attacker visits any page on the site and extracts the nonce from the HTML
2. POST to admin-ajax.php with action=wpgmp_temp_access_support and check_temp=false
3. The plugin creates a user with the administrator role, username fc_user_ + random string, email [email protected]
4. The plugin generates a magic login URL and returns it in the response
5. Attacker accesses the URL. wp_set_auth_cookie() authenticates as admin. No password. No MFA. No additional verification whatsoever.

One request. One click. Full site takeover. The privilege escalation is not a side effect — it is the function the handler executes by design. The created account has full administrator role. The attacker can install plugins, edit themes, modify files, create new accounts, delete content. Everything a legitimate admin can do — because, as far as WordPress is concerned, the attacker is a legitimate admin.

Why a frontend nonce is not authentication

The vendor's argument would presumably be: "but there is a nonce." A nonce in WordPress is a token that confirms the caller visited a page on the site before making the request. This prevents CSRF — it does not authenticate the caller.

Every visitor can visit any page. Therefore, every visitor can obtain the nonce. Therefore, every visitor passes the nonce check. A protection mechanism that any visitor satisfies is not protection — it is theater.

The fix in version 6.1.1 confirms this: it added current_user_can('manage_options'). Now it requires the caller to already be an admin to create another admin. Something that should have existed from day one. The absence of a capability check was not an oversight — it was the necessary condition for the feature to work without login. A feature that issues admin credentials to anyone who asks is a backdoor by another name.

The distinction between nonce and authentication is not academic. A nonce protects against forged requests from third parties (CSRF). Authentication verifies who is making the request. Confusing the two is like confusing a visitor badge with the key to the vault. WP Maps Pro treated the visitor badge as if it were the key.

15,800 sites paid for a plugin that gave admin to any visitor

WP Maps Pro is a paid plugin, sold on Envato, with over 15,800 active installations. These sites paid for a maps tool that, as a bonus, gave administrator access to any visitor. Wordfence recorded 3,600 blocked attacks in the first 24 hours of active exploitation. The number of actually compromised sites is unknown.

At Tech86, we have found in audits commercial plugins with nopriv handlers that execute privileged actions. This is not unique to WP Maps Pro — it is a pattern. Plugins that need "support access" or "remote diagnostics" frequently implement mechanisms that bypass authentication. The difference is that, in most cases, nobody audited the code to find out.

The WordPress plugin ecosystem has a structural problem of blind trust. The average site runs 20 to 40 plugins. Each one can register nopriv handlers, embed nonces in the frontend, create endpoints without capability checks. Nobody reviews this before installing. The Envato marketplace does not require security audits. The WordPress.org repository does not require them either. The code goes into production without verification — and the first person to read it with security eyes is the attacker.

What to do now

If you have WP Maps Pro installed, the action is immediate: update to 6.1.1 or deactivate the plugin. Then audit administrator accounts looking for fc_user_* or [email protected]. Check access logs for POST requests to admin-ajax.php with action=wpgmp_temp_access_support. If there are signs of compromise, treat it as a full breach — removing the malicious account is not enough. Rotate all credentials, scan the filesystem for web shells, check wp_options and themes for injected content.

At Tech86, we audit WordPress environments with a focus on plugin attack surfaces. If your WordPress runs commercial plugins without security audits, you are trusting access to your business to code that nobody verified. A nonce in the frontend is not authentication. A feature that issues admin credentials to any visitor is a backdoor. And 15,800 sites paid for it without knowing.