CVE-2026-8732: The WP Maps Pro Flaw That Lets Anyone Create a WordPress Admin Without a Password

A critical vulnerability (CVE-2026-8732, CVSS 9.8) in the WP Maps Pro WordPress plugin allows unauthenticated attackers to create administrator accounts via a publicly exposed AJAX endpoint protected only by a nonce embedded in frontend pages; the flaw was actively exploited in the wild (thousands of blocked attacks) and affects installations up to version 6.1.0 — update to 6.1.1 or deactivate the plugin immediately.