CVE-2026-8732 in the WP Maps Pro WordPress plugin (versions 6.1.0 and earlier) allows any unauthenticated internet user to create a WordPress administrator account via a broken AJAX endpoint, with Wordfence confirming nearly 2,900 blocked attack attempts in a single day. Active automated exploitation is underway and no confirmed patched version was available at time of report generation. Immediate plugin deactivation is required for any site running an affected version.