WP Maps Pro CVE-2026-8732 actively exploited to create unauthenticated admin accounts on WordPress sites - 'temporary access' AJAX endpoint flaw
Hackers are actively exploiting CVE-2026-8732, a critical unauthenticated flaw in the WP Maps Pro WordPress plugin that lets attackers create rogue administrator accounts. The plugin, a premium interactive-map and store-locator tool with over 15,800 sales on Envato Market, is affected in versions 6.1.0 and older. The flaw stems from a 'temporary access' feature meant to let vendor support staff troubleshoot customer sites: the AJAX endpoint was reachable by unauthenticated users and relied only on a nonce exposed in frontend JavaScript. A crafted request creates a new administrator user, generates a passwordless login URL, and sends it to a remote system. Researcher David Brown reported it.
- Check
- Inventory WordPress sites for the WP Maps Pro plugin and confirm version. Audit the WordPress users table for unexpected administrator accounts created recently. Review AJAX endpoint access logs.
- Affected
- WP Maps Pro versions 6.1.0 and older on WordPress. The unauthenticated AJAX 'temporary access' endpoint lets anyone create an admin account and receive a passwordless login URL.
- Fix
- Update WP Maps Pro to the patched version immediately. Remove any unauthorized administrator accounts. Rotate all admin credentials and audit for backdoors, web shells, or plugin/theme tampering.