WP Maps Pro Exploited, Oracle ORDS Hits CVSS 10
WP Maps Pro admin creation flaw hits 15,000 sites as Oracle REST Data Services ships a CVSS 10.0 bug

CVE-2026-8732 — A privilege escalation vulnerability in the WP Maps Pro WordPress plugin is actively being exploited to create rogue administrator accounts on roughly 15,000 sites. The flaw, present in all versions up to and including 6.1.0, allows unauthenticated attackers to register new admin users via the wpgmp_temp_access_ajax AJAX action, which lacks proper capability checks. As Wordfence reported, the plugin is installed on over 15,000 WordPress sites, making this a significant supply-chain-style threat. Site owners should immediately update to the patched version or disable the plugin until a fix is applied. Given the low complexity and lack of authentication requirements, this vulnerability ranks as the highest-signal item in today's window.
CVE-2026-46840, CVE-2026-46839, CVE-2026-46775 — Oracle REST Data Services (ORDS) shipped three critical vulnerabilities in versions 24.2.0 through 26.1.0 that demand urgent attention. CVE-2026-46840 is the most severe, carrying a CVSS 10.0 and allowing an unauthenticated attacker with network access via HTTPS to completely compromise ORDS without any user interaction. The other two flaws (CVE-2026-46839, CVE-2026-46775) require low-privileged authentication but still enable full compromise of the service. ORDS is widely deployed as the RESTful interface for Oracle Database, meaning exploitation could lead to wholesale data exfiltration or lateral movement into backend databases. Organizations running ORDS should prioritize patching to the latest available version immediately.
CVE-2026-9559, CVE-2026-9558 — Mautic, the open-source marketing automation platform, disclosed two critical vulnerabilities that together form a potent attack chain. CVE-2026-9559 is a path traversal in the campaign import feature that allows file paths to escape intended temporary directories during ZIP extraction. CVE-2026-9558 is a Server-Side Template Injection (SSTI) vulnerability in Mautic's theme engine, where uploaded Twig templates are rendered without a sandbox. An authenticated attacker with campaign or theme creation permissions could chain these flaws to achieve remote code execution on the server. Mautic instances should be updated to the latest patched release, and administrators should audit existing themes and campaigns for signs of tampering.
CVE-2026-44962 — Plesk, the widely used web hosting control panel, contains an XPath injection vulnerability in its APS Application Catalog search functionality. The flaw allows an authenticated, low-privileged user to inject malicious XPath queries by supplying unsanitized input, potentially leading to unauthorized data access or privilege escalation within the Plesk environment. Given Plesk's deployment across millions of hosting servers, this vulnerability represents a significant risk for hosting providers who grant limited accounts to customers. Plesk has released a security update; administrators should apply it and consider restricting APS Catalog access for untrusted users in the interim.
CVE-2026-46817 — Oracle E-Business Suite's Payments component (File Transmission) carries a critical unauthenticated remote code execution vulnerability affecting versions 12.2.3 through 12.2.15. With a CVSS score of 9.8 and no authentication required, an attacker with network access could exploit this flaw to compromise the Oracle Payments application. Given that Oracle E-Business Suite handles sensitive financial transactions and customer data, this vulnerability should be treated as an emergency patch priority for finance and ERP teams. Oracle has released a Critical Patch Update addressing this and other E-Business Suite flaws.
CVE-2026-45039 — RustFS, a distributed object storage system written in Rust, contains a critical flaw in its internode RPC authentication mechanism prior to version 1.0.0-beta.2. The get_shared_secret function produces an HMAC-SHA256 shared secret using a weak derivation process, potentially allowing an attacker to forge authenticated requests between nodes. This could enable unauthorized data access or cluster compromise in multi-node RustFS deployments. Organizations using RustFS in production should upgrade to the beta.2 release or later, and review cluster logs for signs of unauthorized node communication.