THE article discusses a critical vulnerability identified as CVE-2026-8732 in the WP Maps Pro plugin for WordPress, which allows unauthenticated attackers to create admin accounts without a password. This flaw affects over 15,000 websites and has a CVSS score of 9.8. The vulnerability results from a feature intended for plugin support staff that lacks proper authentication measures. Attackers have started exploiting this vulnerability, leading to significant security risks, including potential site takeovers.
The plugin maintainers released a fix (version 6.1.1) on May 20, 2026, but many sites remain vulnerable as of the article's publication. Users are urged to update or deactivate the plugin immediately to prevent unauthorized access.