Actively Exploited WordPress Plugin Flaw (CVE-2026-8732) Allows Unauthenticated Admin Account Creation
Critical Flaw in WP Maps Pro Plugin Lets Anyone Create Admin Accounts on 15,000+ Sites
Impact Scope
People Affected
15,000+ websites
Industries Affected
Related Entities
Organizations
Products & Tech
CVE Identifiers
MITRE ATT&CK Techniques
Full Report
Executive Summary
A critical authentication bypass vulnerability, CVE-2026-8732, has been found in the WP Maps Pro plugin for WordPress. The flaw is rated 9.8 out of 10 and is being actively exploited to create rogue administrator accounts on vulnerable websites. The issue stems from an insecurely implemented 'temporary access' feature that allows any unauthenticated user to trigger an AJAX action and create an admin account. The plugin developer has released version 6.1.1 to fix the issue, but with over 15,000 active installations, many sites remain at risk. Security firm Wordfence reported blocking thousands of attacks, indicating automated and widespread exploitation.
Vulnerability Details
The vulnerability resides in all versions of the WP Maps Pro plugin up to and including 6.1.0. The plugin includes a feature for support staff to gain temporary access to a customer's WordPress dashboard. This was implemented via an AJAX action hook, wpgmp_temp_access_ajax.
Critically, this function had no capability checks or authentication requirements. Any user, including an unauthenticated visitor, could send a direct POST request to the WordPress admin-ajax.php endpoint with the action set to wpgmp_temp_access_ajax. This would trigger the function, which would then create a new user account with a specified username and password and assign it the 'administrator' role. This provides the attacker with full control over the compromised website.
Affected Systems
- Product: WP Maps Pro plugin for WordPress
- Vulnerable Versions: All versions up to and including 6.1.0
- Patched Version: 6.1.1 and later
- Install Base: Over 15,000 active installations are potentially vulnerable.
Exploitation Status
This vulnerability is under active and widespread exploitation. The ease of the exploit (a single HTTP request) makes it trivial to automate. Security firm Wordfence confirmed it blocked 2,858 exploitation attempts within a single 24-hour period shortly after the flaw was disclosed. Attackers are scanning the internet for sites with the vulnerable plugin and attempting to create admin accounts, typically with common usernames like admine or wp-admin.
Impact Assessment
The impact of exploitation is a complete site takeover. An attacker with an administrator account can:
- Deface the website.
- Inject malicious code, backdoors, or credit card skimmers.
- Redirect traffic to malicious sites.
- Use the site to host phishing pages or malware.
- Delete the entire site's content and backups.
- Gain access to sensitive user data stored by the website.
For any business relying on their WordPress site, this is a critical incident that can lead to significant financial and reputational damage.
Cyber Observables — Hunting Hints
Web administrators should hunt for signs of compromise.
url_pattern/wp-admin/admin-ajax.phpaction=wpgmp_temp_access_ajax.log_sourceadmin-ajax.php from unknown IP addresses.user_account_patternadmine, wp-admin, support-userfile_namewp-content/plugins/wp-google-map-gold/Detection & Response
- Review Admin Accounts: The first step is to immediately log into your WordPress dashboard and navigate to the 'Users' section. Look for any administrator accounts you do not recognize. If found, delete them immediately.
- Log Analysis: Analyze web server access logs for POST requests to
/wp-admin/admin-ajax.phpthat includeaction=wpgmp_temp_access_ajax. Any hits from untrusted IPs are strong indicators of an attack. This is a form of D3FEND Web Session Activity Analysis. - Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to block exploitation attempts against CVE-2026-8732. Many commercial WAF providers have already pushed these rules.
Mitigation
- Update Immediately (
M1051): The most critical action is to update the WP Maps Pro plugin to version 6.1.1 or later. This version removes the vulnerable code. This is a direct application of D3FEND's Software Update. - Remove if Unused: If the plugin is not essential to your site's functionality, the safest course of action is to deactivate and delete it entirely.
- Harden WordPress: Enforce the principle of least privilege for all user accounts. Regularly audit admin accounts and enable Multi-factor Authentication (
M1032) for all administrator-level users to make account takeover more difficult.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Immediately update the WP Maps Pro plugin to the patched version (6.1.1 or later) to remediate the vulnerability.
If the plugin is not essential, the most secure mitigation is to deactivate and delete it from the WordPress installation.
Multi-factor Authentication
Enforce MFA on all WordPress administrator accounts as a compensating control to make it harder for an attacker-created account to be used.
D3FEND Defensive Countermeasures
The primary and most effective countermeasure is to immediately update the WP Maps Pro plugin to the patched version, 6.1.1 or later. This action directly removes the vulnerable wpgmp_temp_access_ajax function, closing the authentication bypass flaw. Given the active and widespread exploitation of CVE-2026-8732, this should be treated as an emergency action. Site administrators should use the WordPress dashboard to perform the update. If the plugin is not actively used, the best course of action is to deactivate and delete it entirely to eliminate the risk.
Deploy a Web Application Firewall (WAF) with a specific rule to block requests targeting the vulnerability. The rule should inspect inbound POST requests to /wp-admin/admin-ajax.php and block any that contain action=wpgmp_temp_access_ajax in the request body. Most major WAF providers (like Cloudflare, Sucuri, Wordfence) have already deployed virtual patches for this threat. This provides a critical layer of defense that can block exploit attempts before they reach the vulnerable plugin, protecting sites that have not yet been patched.
Timeline of Events
The developer of WP Maps Pro releases version 6.1.1 to patch CVE-2026-8732.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.