Impact
The WP MAPS PRO WordPress plugin registers an unauthenticated AJAX action that, when provided with a valid nonce retrieved from any frontend page that loads the plugin’s map script, creates a new administrator account and returns a magic‑login URL. This flaw permits an attacker to obtain full administrative privileges without prior authentication, representing a classic instance of missing access control (CWE‑284) and unauthorized privileged account creation (CWE‑862). The consequence is that the attacker can fully control the WordPress site, including data, plugins, and user accounts.
Affected Systems
Any WordPress website that has the WP MAPS PRO plugin installed at a version earlier than 6.1.1 is vulnerable. The attack surface is exposed on any page that enqueues the plugin’s map script, as the nonce is publicly emitted in the page’s source. No additional credentials or compromise of the server is required; any visitor to the site can capture the nonce and trigger the vulnerable AJAX endpoint.
Risk and Exploitability
With a CVSS score of 9.8 the flaw is classified as critical. The EPSS score is below 1%, indicating a low yet nonzero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation is straightforward: a malicious actor visits a vulnerable site, retrieves the nonce from the page source, makes a request to the AJAX endpoint, and receives a magic‑login URL. The attacker can then log in as administrator and compromise the entire site. Because the endpoint is publicly reachable and the condition to invoke it is minimal, the risk is high for any site that has not applied the patch.
OpenCVE Enrichment