The active exploitation of CVE-2026-8732 in WP Maps Pro reveals a systemic risk in how third-party WordPress plugins implement temporary vendor access. Defiant's report correctly identifies the core issue—an AJAX callback protected only by a frontend-exposed nonce and lacking capability checks—but underplays the broader design failure: embedding troubleshooting backdoors as standard practice. This mirrors earlier incidents, including the 2023 LiteSpeed Cache zero-day chain and the Post SMTP takeover campaign, where similar unauthenticated admin creation paths enabled rapid site hijacks. The plugin's use of a hardcoded email and magic login URL for the new admin account creates persistent footholds that survive simple patching, a detail overlooked in initial coverage. Cross-referencing with Wordfence's telemetry on nonce misuse across 40+ plugins and Sucuri's 2024 incident report on vendor credential leaks shows attackers are systematically scanning for these temporary access functions. Site owners running any plugin with 'temp access' or 'support login' features face immediate risk, as the flaw allows full takeover without authentication in under a minute. Patching to 6.1.1 closes the vector, yet residual admin accounts generated during attacks require manual cleanup to prevent ongoing persistence.