CVE-2026-8935
Received Received - Intake
Unauthenticated Admin Creation in WP Maps Pro WordPress Plugin

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: WPScan

Description
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-8935
EUVD
EUVD-2026-36699
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wp_maps_pro wp_maps_pro to 6.1.1 (exc)
advanced_google_maps advanced_google_maps to 6.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have a critical impact as it allows attackers without any authentication to gain full administrator access to a WordPress site. With such access, attackers can control the site, modify content, steal sensitive data, install malicious code, or disrupt site operations.

Mitigation Strategies

To mitigate this vulnerability, users are advised to update the WP MAPS PRO WordPress plugin to version 6.1.1 or later.

Executive Summary

The vulnerability in the Advanced Google Maps WordPress plugin (before version 6.1.1) allows unauthenticated attackers to create administrator accounts. This happens because the plugin registers an unauthenticated AJAX action that, when triggered with a valid nonce (a security token publicly exposed on frontend pages), unconditionally creates an admin account and returns a magic-login URL that grants immediate interactive admin access.

Compliance Impact

This vulnerability allows unauthenticated attackers to create administrator accounts and gain interactive admin access, which can lead to unauthorized access to sensitive data and systems.

Such unauthorized access could result in violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Failure to prevent unauthorized administrative access may lead to non-compliance with these regulations, potentially resulting in legal and financial consequences.

Detection Guidance

This vulnerability involves an unauthenticated AJAX action that creates an administrator account when triggered with a valid nonce publicly exposed on frontend pages. Detection involves monitoring for suspicious AJAX requests that attempt to exploit this action.

To detect exploitation attempts, you can look for unusual HTTP requests to the AJAX endpoint of the WP MAPS PRO plugin that include the nonce parameter and trigger account creation.

Suggested commands to detect such activity include using web server logs or network monitoring tools to search for suspicious AJAX calls. For example, using grep on Apache or Nginx logs:

  • grep -i 'wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep 'nonce='
  • grep -i 'wp-admin/admin-ajax.php' /var/log/nginx/access.log | grep 'nonce='

Additionally, monitoring for creation of new administrator accounts in WordPress user lists or database tables can help detect successful exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8935. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart