ctipilot.ch

WP Maps Pro WordPress plugin <=6.1.0 — unauthenticated admin-account creation via disclosed nonce + wp_ajax_nopriv_ handler; actively exploited (CVSS 9.8); fixed 6.1.1

cve · CVE-2026-8732

Coverage timeline
1
first 2026-06-02 → last 2026-06-02
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-06-02CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com1 (50%)
  • thehackernews.com1 (50%)

explore in graph

Entries about WP Maps Pro WordPress plugin <=6.1.0 — unauthenticated admin-account creation via disclosed nonce + wp_ajax_nopriv_ handler; actively exploited (CVSS 9.8); fixed 6.1.1 (1)

2026-06-02 · view entry permalink →

NOTABLECVE-2026-8732exploited

CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited

CVE-2026-8732 (CVSS 9.8) lets an unauthenticated attacker create a WordPress administrator account on sites running the WP Maps Pro plugin ≤ 6.1.0 by abusing a publicly disclosed nonce together with a wp_ajax_nopriv_ action handler that fails to enforce capability checks (The Hacker News, 2026-06-01 · BleepingComputer, 2026-05-31). The CVSS 9.8 rating is per The Hacker News. Exploitation is live — Wordfence reported blocking exploitation attempts at scale within 24 hours of disclosure. The fix is in version 6.1.1. Once an attacker holds an admin account, full site takeover (plugin/theme upload → webshell) follows.

CVE-2026-8732 (CVSS 9.8) lets an unauthenticated attacker create a WordPress administrator account on sites running the WP Maps Pro plugin ≤ 6.1.0 by abusing a publicly disclosed nonce together with a wp_ajax_nopriv_ action handler that fails to enforce capability checks (The Hacker News …

ctipilot v2 brief (migrated)
vulnerability02 Jun 05:00Zmulti-sourceOpen finding ↗