CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password
CVE-2026-8732 in WP Maps Pro lets unauthenticated attackers create WordPress admin accounts. 2,858 attacks blocked in 24 hours. WP Maps Pro plugin allows WordPress site owners to embed Google Maps and OpenStreetMap with markers, listings, and location search. It’s a store locator tool. Unremarkable. The plugin is installed on over 15,000 websites, according to sale […]
WP Maps Pro plugin allows WordPress site owners to embed Google Maps and OpenStreetMap with markers, listings, and location search. It’s a store locator tool. Unremarkable. The plugin is installed on over 15,000 websites, according to sale data of Envato Market. And right now, attackers are actively exploiting a critical flaw in it that lets anyone on the internet create a full administrator account on an affected site without logging in first.
The vulnerability is tracked as CVE-2026-8732 and received a CVSS score of 9.8. The root cause is a “temporary access” feature built to let plugin support staff log into a customer’s site during troubleshooting. That feature registered an AJAX action called wpgmp_temp_access_ajax using WordPress’s wp_ajax_nopriv_ hook, which means unauthenticated users can call it. The only protection was a nonce check, but the nonce itself was embedded publicly into every frontend page of the site via wp_localize_script.
Related breach coverage
- WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites2026-06-01
The security defect (CVE-2026-8732) allows unauthenticated attackers to create administrative accounts on the affected installations. The post WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites appeared first on SecurityWeek.
- CVE-2026-9082: Drupal’s Highly Critical SQL Injection Flaw Is Already Under Active Attack2026-05-23
Attackers began exploiting Drupal SQL injection flaw CVE-2026-9082 within 48 hours of patch release. Drupal issued a highly critical security patch on May 20 for CVE-2026-9082, a SQL injection vulnerability that allows unauthenticated attackers to compromise sites running PostgreSQL databases. The project maintainers warned ahead of the release that exploits could surface within hours or […]
- Cisco fixed maximum severity flaw CVE-2026-20223 in Secure Workload2026-05-21
Cisco fixed a critical Secure Workload flaw (CVE-2026-20223) that could let attackers gain Site Admin privileges through crafted API requests. Cisco released patches for a critical vulnerability, tracked as CVE-2026-20223 (CVSS score of 10.0), in Secure Workload. The flaw stems from insufficient validation and authentication in REST API endpoints. According to Cisco, remote attackers could […]
- Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites2026-05-25
Attackers are exploiting the patched Ghost CMS flaw CVE-2026-26980, compromising over 700 unpatched sites, including universities. Threat actors are actively exploiting a security flaw, tracked as CVE-2026-26980, in Ghost CMS that was fixed months ago in real attacks against unpatched websites. According to Qianxin, the campaign has already affected more than 700 sites, including well-known organizations and […]