CVE-2026-8935 | THREATINT

Description

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

PUBLISHED Reserved 2026-05-19 | Published 2026-06-15 | Updated 2026-06-15 | Assigner WPScan

Problem types

CWE-269 Improper Privilege Management

Product status

Default status

unaffected

Any version before 6.1.1

affected

Credits

Erwan LR (WPScan) finder

WPScan coordinator

References

wpscan.com/...rability/9bad9fc1-5032-45dc-983f-ba2dd7092385/ exploit vdb-entry technical-description

cve.org (CVE-2026-8935)

nvd.nist.gov (CVE-2026-8935)

Download JSON