WP Maps Pro unauthenticated admin-account creation (actively exploited)

cve · CVE-2026-8732

Coverage timeline

first 2026-06-02 → last 2026-06-02

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-02CTI Daily Brief — 2026-06-02
trending_vulnsFirst coverage. CVSS 9.8 nonce/nopriv-ajax admin creation; live exploitation per Wordfence; fixed 6.1.1.

Where this entity is cited

trending_vulns1

Source distribution

bleepingcomputer.com1 (50%)
thehackernews.com1 (50%)

Related entities

WordPress malware abuses Steam profile comments as Unicode-steganography C2 (GoDaddy)
campaigncampaign:wordpress-steam-profile-c2-unicode-steganography×1

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about WP Maps Pro unauthenticated admin-account creation (actively exploited) (1)

CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited

From CTI Daily Brief — 2026-06-02 · published 2026-06-02 · view item permalink →

CVE-2026-8732 (CVSS 9.8) lets an unauthenticated attacker create a WordPress administrator account on sites running the WP Maps Pro plugin ≤ 6.1.0 by abusing a publicly disclosed nonce together with a wp_ajax_nopriv_ action handler that fails to enforce capability checks (The Hacker News, 2026-06-01 · BleepingComputer, 2026-05-31). The CVSS 9.8 rating is per The Hacker News. Exploitation is live — Wordfence reported blocking exploitation attempts at scale within 24 hours of disclosure. The fix is in version 6.1.1. Once an attacker holds an admin account, full site takeover (plugin/theme upload → webshell) follows.