CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited

CVE-2026-8732 (CVSS 9.8) lets an unauthenticated attacker create a WordPress administrator account on sites running the WP Maps Pro plugin ≤ 6.1.0 by abusing a publicly disclosed nonce together with a wp_ajax_nopriv_ action handler that fails to enforce capability checks (The Hacker News, 2026-06-01 · BleepingComputer, 2026-05-31). The CVSS 9.8 rating is per The Hacker News. Exploitation is live — Wordfence reported blocking exploitation attempts at scale within 24 hours of disclosure. The fix is in version 6.1.1. Once an attacker holds an admin account, full site takeover (plugin/theme upload → webshell) follows.