CVE-2026-8732 Lets Unauthenticated Users Create Admin Accounts in WP Maps Pro

A critical vulnerability in WP Maps Pro, tracked as CVE-2026-8732 with a CVSS score of 9.8, allows unauthenticated attackers to create administrative accounts and take over WordPress sites. The plugin, used by over 15,000 customers on Envato Market, has been actively exploited. Wordfence blocked 2,858 exploitation attempts within 24 hours. The flaw enables attackers to bypass authentication and gain full site control. WP Maps Pro includes a temporary access feature for vendor logging, which may have contributed to the vulnerability's exposure.