Overview
A critical-severity vulnerability has been disclosed in the WP Maps Pro WordPress plugin, tracked as CVE-2026-8935 with a CVSS score of 9.8. The flaw allows any unauthenticated visitor to create a WordPress administrator account and receive a direct magic login URL, resulting in complete site compromise without any credentials.
The vulnerability affects all versions of WP Maps Pro before 6.1.1 and was published to the National Vulnerability Database on June 15, 2026.
Technical Details
The plugin registers an unauthenticated AJAX action that can be triggered by any visitor — no login required. The critical design flaw involves two compounding issues:
-
Public Nonce Exposure: A valid nonce is emitted on every frontend page that loads the plugin's map script. This nonce is visible in the page source and accessible to any visitor without authentication.
-
Unconditional Admin Creation: When the AJAX endpoint is called with the publicly available nonce, the plugin unconditionally creates a new administrator account and returns a magic login URL in the response.
An attacker only needs to:
- Visit any page on a vulnerable WordPress site that displays a map
- Extract the nonce from the HTML source
- Call the AJAX endpoint with that nonce
- Use the returned magic URL to immediately log in as a site administrator
No brute force, no credential theft, no privilege escalation — a single HTTP request chain is sufficient for full admin takeover.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| WP Maps Pro (WordPress plugin) | < 6.1.1 | 6.1.1 |
Risk Assessment
| Attribute | Value |
|---|---|
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
The combination of network-accessible attack vector, zero required privileges, and no user interaction required makes this one of the most severe vulnerability classes possible. A CVSS of 9.8 reflects a near-maximum risk rating.
Exploitation Scenario
A threat actor scanning WordPress installations could:
- Identify sites with WP Maps Pro installed (easily done via mass scanning for the plugin's static assets)
- Visit one page containing a map to obtain the nonce
- Fire a single POST request to
wp-admin/admin-ajax.phpwith the vulnerable action and nonce - Receive a JSON response containing the admin username and magic login URL
- Access the WordPress admin panel with full administrator privileges immediately
From admin access, attackers can install malicious plugins, redirect all site traffic, inject SEO spam, steal stored credentials, or use the server as a foothold for further attacks.
Remediation
Immediate action required:
- Update WP Maps Pro to version 6.1.1 or later immediately
- Audit your WordPress user list for any unfamiliar or recently created administrator accounts
- Rotate all WordPress administrator passwords as a precaution
- Review server logs for suspicious AJAX requests targeting
admin-ajax.php - Check for any unauthorized plugin installations or file modifications
Indicators of Compromise
Review your WordPress access logs for patterns like:
POST /wp-admin/admin-ajax.php
action=[vulnerable_action_name]
Unusual new administrator accounts with random usernames or email addresses in your WordPress Users panel are a strong indicator of exploitation.