Actively Exploited WordPress Admin-Takeover Flaw Leads a Supply-Chain-Heavy Day

Actively Exploited WordPress Admin-Takeover Flaw Leads a Supply-Chain-Heavy Day

Finding 1: WP Maps Pro flaw actively exploited to create WordPress admin accounts (CVE-2026-8732)

Confidence: Medium-High

The WP Maps Pro plugin for WordPress contains a privilege-escalation flaw, tracked as CVE-2026-8732, in all versions up to and including 6.1.0. The wpgmptempaccessajax AJAX action is registered without an adequate capability check, which lets an attacker create a new administrator account and take over the site. The vulnerability is recorded in the NVD (published 2026-05-29), and The Hacker News reports it is being actively exploited.

This is the clearest action item today. Administrator-account creation gives an attacker full control of the affected site, including content, user data, and any connected systems.

Action: Update WP Maps Pro past 6.1.0 immediately on any WordPress estate that uses it. Audit the WordPress user list for unexpected administrator accounts created recently, and review access logs for calls to the wpgmptempaccessajax action. Where you cannot patch at once, disable the plugin until you can.

Source: https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html

Finding 2: Credential-stealing npm worm compromises Red Hat packages (Miasma)

Confidence: Medium

Two reporting sources describe a supply-chain compromise, named Miasma, in which npm packages associated with Red Hat were altered to steal developer credentials. The reporting frames it as a self-propagating, credential-stealing worm in the npm registry rather than a single tampered package.

The practical risk is to developer workstations and CI runners, where registry tokens, source-code access, and other secrets often sit in the same context. A credential-stealing package that lands on a build runner can reach well beyond the one machine.

Action: Check npm install history, package-lock files, and CI logs for the affected Red Hat-associated packages. Rotate npm and registry credentials that may have been reachable from an affected developer or CI environment, and review recent registry activity for unexpected publishes or token use.

Sources: https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html and https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/

Finding 3: OpenAI Codex authentication tokens reportedly stolen via codexui-android@0.1.82 [single-source]

Confidence: Low / Unverified

A single source reports that the npm package codexui-android, version 0.1.82, targets OpenAI Codex authentication tokens. The report does not confirm victim count, exploitation telemetry, or registry takedown status, so treat it as a containment-oriented hygiene check rather than a confirmed incident. It fits the same developer-token supply-chain theme as the Miasma reporting above.

Action: Search package-lock files, npm caches, CI logs, and developer workstations for codexui-android, especially version 0.1.82. Rotate OpenAI or Codex tokens where the package appears in a trusted developer or CI environment.

Source: https://thehackernews.com/2026/06/openai-codex-authentication-tokens.html

On Watch (active-exploitation reports awaiting firm identifiers)

Confidence: Medium

• These two carry active-exploitation reporting but lack a confirmed CVE or advisory identifier at the time of writing. They are on watch, not dismissed: verify your own exposure now and treat a confirmed identifier as a trigger to act.
• Windows Netlogon remote code execution, reported exploited in attacks. If confirmed against your domain controllers this would be high-impact. Review domain-controller patch levels and watch for a Microsoft advisory or CVE to anchor remediation. Source: https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
• A Linux kernel local privilege-escalation flaw described as 19 years old, reported to grant root. Identify the affected subsystem and distribution advisories before scheduling kernel updates. Source: https://www.securityweek.com/19-year-old-linux-kernel-vulnerability-exposes-systems-to-root-access/

Already Covered (no repeat today)

Confidence: High

Palo Alto PAN-OS exploitation under CVE-2026-0257 featured in our 31 May report and carries no materially new development today, so it is not repeated here. Continue any remediation already underway from that advisory.

Why This Matters

Three of today's items sit in the software-supply-chain and developer-tooling layer: a WordPress plugin, npm registry packages, and an AI-tool token. The common thread is that a single compromised component can grant broad access, whether that is administrator control of a website or a credential lifted from a build runner. The defensive moves are the same in each case: know where the component is in use, patch or remove it, and rotate any credential that was reachable from it.

• Recommended Actions
• P1: Update WP Maps Pro past version 6.1.0 and audit WordPress sites for unexpected administrator accounts.
• P1: Hunt for the Miasma-affected Red Hat npm packages and codexui-android@0.1.82 across npm caches, lockfiles, CI logs, and developer endpoints; rotate exposed registry and OpenAI/Codex tokens.
• P2: Verify Windows domain-controller and Linux kernel exposure now; act on the Netlogon and Linux kernel reports as soon as a CVE or vendor advisory anchors them.
• P3: No further action needed on Palo Alto CVE-2026-0257 beyond remediation already in progress from the 31 May advisory.

All findings grounded in a13e intelligence sweeps and verified against primary sources through 06:30 UTC on 02 June 2026.