CVE-2026-8935

Vulnerability

The WP MAPS PRO plugin (also known as Advanced Google Maps) before version 6.1.1 registers an unauthenticated AJAX action that, given a valid nonce publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access [1]. The nonce is available to any visitor of a page that includes the plugin's map script.

Exploitation

An unauthenticated attacker can obtain the nonce by visiting any frontend page that enqueues the plugin's map script, then send a crafted AJAX request to the vulnerable action. No authentication or prior access is required. The attacker receives a magic-login URL that grants immediate administrator-level access to the WordPress site.

Impact

Successful exploitation allows the attacker to create a new administrator account and log in via the magic-link URL, gaining full control over the WordPress installation. This includes the ability to modify content, install plugins, change settings, and access sensitive data.

Mitigation

The vulnerability is fixed in version 6.1.1 of the plugin, released according to the reference [1]. Users should update immediately. No workaround is known; removing the plugin or disabling the vulnerable AJAX action may be necessary if patching is not possible.