Key Findings CVE-2026-8732 in WP Maps Pro allows unauthenticated attackers to create WordPress administrator accounts remotely CVSS score of 9.8 indicates critical severity Over 2,858 attacks blocked in 24 hours, indicating active mass exploitation Affects all versions through 6.1.0; patched in version 6.1.1 released May 20, 2026 Plugin installed on 15,000+ WordPress sites according to Envato Market sales data Exploitation began before most site owners had time to patch after