Description
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP MAPS PRO WordPress plugin registers an unauthenticated AJAX action that, when provided with a valid nonce retrieved from any frontend page that loads the plugin’s map script, creates a new administrator account and returns a magic‑login URL. This flaw permits an attacker to obtain full administrative privileges without prior authentication, representing a classic instance of missing access control (CWE‑284) and unauthorized privileged account creation (CWE‑862). The consequence is that the attacker can fully control the WordPress site, including data, plugins, and user accounts.

Affected Systems

Any WordPress website that has the WP MAPS PRO plugin installed at a version earlier than 6.1.1 is vulnerable. The attack surface is exposed on any page that enqueues the plugin’s map script, as the nonce is publicly emitted in the page’s source. No additional credentials or compromise of the server is required; any visitor to the site can capture the nonce and trigger the vulnerable AJAX endpoint.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is classified as critical. The EPSS score is below 1%, indicating a low yet nonzero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation is straightforward: a malicious actor visits a vulnerable site, retrieves the nonce from the page source, makes a request to the AJAX endpoint, and receives a magic‑login URL. The attacker can then log in as administrator and compromise the entire site. Because the endpoint is publicly reachable and the condition to invoke it is minimal, the risk is high for any site that has not applied the patch.

Generated by OpenCVE AI on June 17, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP MAPS PRO to version 6.1.1 or later, which removes the vulnerable AJAX endpoint and stops nonce emission to the frontend.
  • If an upgrade is not immediately possible, remove or disable the AJAX action by adding custom code to the theme’s functions.php or a small plugin that unregisters the problematic action or restricts it to authenticated users only.
  • Temporarily deactivate the WP MAPS PRO plugin until you can apply the patch or a custom fix that blocks the vulnerable action.

Generated by OpenCVE AI on June 17, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Maps Pro
Wp Maps Pro wp Maps Pro
Vendors & Products Wordpress
Wordpress wordpress
Wp Maps Pro
Wp Maps Pro wp Maps Pro

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-862

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-862

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-862

Mon, 15 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
Title Advanced Google Maps < 6.1.1 - Unauthenticated Administrator Account Creation
References

Subscriptions

Wordpress Wordpress
Wp Maps Pro Wp Maps Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-15T16:35:19.577Z

Reserved: 2026-05-19T11:21:38.445Z

Link: CVE-2026-8935

cve-icon Vulnrichment

Updated: 2026-06-15T16:35:03.298Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T08:16:22.100

Modified: 2026-06-15T20:50:47.973

Link: CVE-2026-8935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:37:07Z

Weaknesses