A critical vulnerability, designated as CVE-2026-8732, has been discovered in the WP Maps Pro plugin, which is installed on over 15,000 websites, allowing unauthenticated attackers to create WordPress admin accounts without a password1. The plugin, used for embedding Google Maps and OpenStreetMap with store locator functionality, has been found to be vulnerable to exploitation, with 2,858 attacks blocked in a 24-hour period. The flaw enables attackers to create full administrator accounts on affected sites without prior login credentials. As a result, websites using the WP Maps Pro plugin are at risk of unauthorized access and potential data breaches. The active exploitation of this vulnerability is being closely monitored, with discussions involving Google to determine the severity of the threat. This vulnerability matters to practitioners as it underscores the need for immediate patching or close monitoring to prevent potential security breaches.
CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password
⚡ High Priority
Why This Matters
CVE-2026-8732 is in active discussion involving Google — exploitation status determines whether this is patch-now or monitor.
References
- SecurityAffairs. (2026, June 1). CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password. *SecurityAffairs*. https://securityaffairs.com/192977/hacking/cve-2026-8732-the-wp-maps-pro-flaw-that-lets-anyone-create-a-wordpress-admin-without-a-password.html
Original Source
SecurityAffairs
Read original →