The WordPress Exploit Hitting Sites Today? We Had the Detection Rules on May 30.

This morning's headline: CVE-2026-8732, a critical flaw in the WP Maps Pro WordPress plugin, CVSS 9.8, is under active exploitation. Unauthenticated attackers are using it to mint rogue administrator accounts and take over sites. If you run that plugin, you are being attacked right now.

We have had the detection rules since May 30. Three days early.

Here is the receipt, with timestamps. Our exploit harvester, which sweeps GitHub on a six-hour cycle, picked up three separate proof-of-concept repositories for CVE-2026-8732 and turned them into detection content before the active-exploitation reports landed. xShadow-Here's PoC on May 30. Jenderal92's on May 30. p3Nt3st3r's on June 1. From them we extracted the exact attack surface defenders need today: the target endpoints the attackers hit, which are the WordPress user-creation paths wp-admin/user-new.php, wp-admin/users.php, and wp-admin/admin-ajax.php. The injectable parameter that drives the privilege escalation, which is the role header. And the default credentials baked into the exploit code.

That is not a vague advisory. That is the precise request shape your WAF or SIEM can block on, sitting in our feed two to three days before the news told you to care.

This is what left-of-boom looks like when it is cheap. The harvester runs automatically. It cross-references every find against the CISA Known Exploited Vulnerabilities catalog. It builds the detection rule and indexes it. No analyst pulled an all-nighter for this one. The entire platform that produced it, seventeen point nine million documents and a live STIX feed, runs for about three hundred and eighty-four dollars a month.

We will be honest about the other side of the ledger, because honesty is the whole point. We do not catch everything. There is a Microsoft SharePoint spoofing vulnerability, CVE-2026-32201, being targeted this week that we did not harvest, and we are not going to pretend otherwise. A feed that claims one hundred percent coverage is lying to you. Ours is early and specific on what it catches, and silent on what it misses, and we would rather you trust the first thing than swallow the second.

But on the WordPress exploit hitting sites today, we were three days ahead, with the endpoints and the header and the creds already written down. The difference between patching after the headline and blocking before it is a feed you can register for in thirty seconds.

If you defend WordPress at scale, or you just want the indicators that predate the press cycle, the feed is live. Come take the receipts.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com