Description
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
Published: 2026-06-15
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to create a new administrator account without any authentication, using a publicly accessible AJAX endpoint that requires only a valid nonce. The new account is granted full administrative privileges and the system returns a magic-login URL that enables the attacker to access the dashboard interactively, essentially leading to a full administrative compromise of the affected WordPress site.

Affected Systems

WP MAPS PRO WordPress plugin, versions prior to 6.1.1. Any website running this plugin before the release of version 6.1.1 is vulnerable. The vulnerability is triggered through an unauthenticated AJAX action that is exposed on any frontend page where the plugin’s map script is enqueued.

Risk and Exploitability

Because the AJAX endpoint is publicly reachable and only requires a nonce that can be extracted from the frontend, attackers can exploit this flaw with minimal effort. The EPSS score is currently not available, and the vulnerability is not listed in the CISA KEV catalog, but the severity implied by the creation of privileged accounts indicates a high risk. Exploitation requires no special access; simply visiting a site using the vulnerable plugin and capturing the nonce will suffice, after which the attacker can activate the magic-login URL and control the site.

Generated by OpenCVE AI on June 15, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP MAPS PRO to version 6.1.1 or later, which removes the vulnerable AJAX endpoint.
  • If an upgrade is not immediately possible, conceal or remove the AJAX action by adding custom code to the theme’s functions.php or a small plugin that disables that specific URL.
  • Verify that the nonce emission has been disabled on the frontend and that no admin privileges are granted through public calls.

Generated by OpenCVE AI on June 15, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-862

Mon, 15 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
Title Advanced Google Maps < 6.1.1 - Unauthenticated Administrator Account Creation
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-15T06:00:02.334Z

Reserved: 2026-05-19T11:21:38.445Z

Link: CVE-2026-8935

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T08:16:22.100

Modified: 2026-06-15T08:16:22.100

Link: CVE-2026-8935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T09:30:03Z

Weaknesses