Unauthenticated Administrator Account Creation in WP Maps Pro
CVE-2026-8732 is a critical unauthenticated privilege escalation vulnerability in the WP Maps Pro WordPress plugin affecting all versions up to and including 6.1.0. The flaw is in the plugin’s temporary support-access AJAX functionality. The action wpgmp_temp_access_ajax is exposed to unauthenticated users via wp_ajax_nopriv_ and is protected only by a nonce check using fc-call-nonce. That nonce is publicly embedded in frontend pages through wp_localize_script in the wpgmp_local JavaScript object, so it does not provide effective access control. An unauthenticated attacker can invoke the temporary access handler with check_temp=false, causing the plugin to call wp_insert_user() and create a new WordPress user with the hardcoded administrator role. The vulnerable workflow then returns a magic login URL; when visited, it triggers wp_set_auth_cookie() and authenticates the attacker as the newly created administrator without requiring a password.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
This repository contains a single Python 2.7 exploit script and a README. The script is a multithreaded mass-exploitation tool targeting an alleged vulnerability in the WordPress WP Google Map Pro plugin, identified in the repo as CVE-2026-8732. Its workflow is: read a list of target domains, normalize them to HTTP/HTTPS, fetch each target homepage to extract a nonce from page content, send a crafted POST request to /wp-admin/admin-ajax.php with action=wpgmp_temp_access_ajax, parse the response for a temporary access token or redirect URL, optionally visit the redirect URL to establish authenticated session cookies, then access /wp-admin/user-new.php and submit a create-user form with role=administrator. It verifies success by checking for a redirect to users.php or by searching the users list for the new username. The exploit’s main capability is full administrative takeover of vulnerable WordPress sites through unauthorized admin account creation. It is not merely a scanner: it performs exploitation and post-exploitation account provisioning automatically. Credentials are hardcoded except for a timestamp suffix added to the username. Results are written locally to res.txt and admin_created.txt. The code uses requests.Session for cookie persistence, disables TLS verification warnings, and runs across multiple threads for bulk targeting. Repository structure is minimal: CVE-2026-8732.py is the operational exploit entry point, while README.md documents the claimed vulnerability, usage, configuration, and expected output. No external exploit framework is used.
Repository contains a single Python 2.7 exploit script and a README. The script is a multithreaded mass-exploitation tool targeting an alleged WP Google Map Pro vulnerability identified as CVE-2026-8732. Its workflow is: normalize each target URL, fetch the site homepage, extract a nonce from page content using regexes for wpgmp_local or fc-call-nonce, send a POST request to /wp-admin/admin-ajax.php with action=wpgmp_temp_access_ajax to obtain a temporary token or redirect URL, optionally visit the redirect URL to establish session state, then access /wp-admin/user-new.php and submit a create-user form with role=administrator. It verifies success via redirect to users.php or by checking whether the username appears in /wp-admin/users.php. The exploit saves token data to res.txt and successful admin credentials to admin_created.txt. The code uses requests, disables TLS verification warnings, and runs 10 worker threads over a supplied target list. This is not merely a scanner or detector; it performs post-access account creation and is therefore an operational exploit for unauthorized administrative takeover of vulnerable WordPress sites.
Repository contains a README and one Python exploit script, shadow.py. The project targets CVE-2026-8732 in the WordPress WP Maps Pro plugin (wp-google-map-gold) <= 6.1.0. It is a real exploit, not just a detector: the script automates the full attack chain from reconnaissance through persistence. Structure and purpose: - README.md documents the vulnerability, root cause, attack chain, and usage examples. - shadow.py is the main entry point and operational exploit. It supports interactive mode, single-target mode (-u), and batch mode from a file (-f) with multithreading (-t). Main exploit capabilities observed in shadow.py: 1. Target normalization and HTTP session setup using requests. 2. Plugin detection by fetching the homepage and checking for WP Maps Pro markers, with fallback direct probes to plugin asset/file paths. 3. Vulnerable feature detection by requesting /wp-content/plugins/wp-google-map-gold/classes/wpgmp-temp-access.php. 4. Nonce harvesting from public pages using a regex for the wpgmp_local JavaScript object and parallel crawling of common paths. 5. Exploitation of the unauthenticated AJAX action at /wp-admin/admin-ajax.php using the leaked nonce and check_temp=false to trigger administrator creation. 6. Consumption of the returned magic login URL containing wpgmp_token to obtain an authenticated WordPress admin session. 7. Post-exploitation persistence by creating a new administrator/backdoor account via the WordPress REST API. 8. Result logging to pwned.txt, including target URL, generated credentials, magic URL, and cookies. The exploit is web/network based and operationally mature: it includes detection, exploitation, session handling, persistence, batch processing, and output management. No evidence suggests it belongs to a major exploit framework such as Metasploit or Nuclei.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
79 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Critical authentication bypass/account creation vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create an administrator account and take full control of the site.
A critical unauthenticated privilege escalation vulnerability in the WP Maps Pro WordPress plugin that allows attackers to create unauthorized administrator accounts and gain full control of affected websites.
A critical authentication bypass/account creation vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create rogue administrator accounts and gain full administrator access via a magic login URL.
A critical authentication bypass/account creation vulnerability in the WP Maps Pro WordPress plugin that allows unauthenticated attackers to create administrator accounts and take over affected sites.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.