A critical-severity vulnerability in the WP Maps Pro WordPress plugin (CVE-2026-8732) has been reported, allowing unauthenticated attackers to take over websites by creating administrative accounts. The vulnerability, with a CVSS score of 9.8, affects the AJAX function used for temporary access generation. The nonce check protecting this function is ineffective since it is exposed to unauthenticated users, enabling attackers to create new admin users.
The issue has been patched in version 6.1.1 of the plugin, which adds necessary access checks. Over 1,700 attacks targeting this vulnerability were blocked recently.