← All articles

WP Maps Pro CVE-2026-8732 actively exploited to create unauthenticated admin accounts on WordPress sites - 'temporary access' AJAX endpoint flaw

Hackers are actively exploiting CVE-2026-8732, a critical unauthenticated flaw in the WP Maps Pro WordPress plugin that lets attackers create rogue administrator accounts. The plugin, a premium interactive-map and store-locator tool with over 15,800 sales on Envato Market, is affected in versions 6.1.0 and older. The flaw stems from a 'temporary access' feature meant to let vendor support staff troubleshoot customer sites: the AJAX endpoint was reachable by unauthenticated users and relied only on a nonce exposed in frontend JavaScript. A crafted request creates a new administrator user, generates a passwordless login URL, and sends it to a remote system. Researcher David Brown reported it.

Check
Inventory WordPress sites for the WP Maps Pro plugin and confirm version. Audit the WordPress users table for unexpected administrator accounts created recently. Review AJAX endpoint access logs.
Affected
WP Maps Pro versions 6.1.0 and older on WordPress. The unauthenticated AJAX 'temporary access' endpoint lets anyone create an admin account and receive a passwordless login URL.
Fix
Update WP Maps Pro to the patched version immediately. Remove any unauthorized administrator accounts. Rotate all admin credentials and audit for backdoors, web shells, or plugin/theme tampering.