CVE-2026-8935
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
The WP MAPS PRO WordPress plugin before version 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
Risk Assessment
The organization may be exposed to unauthorized access to the administrator account, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to update the WP MAPS PRO plugin to version 6.1.1 or later and to review and monitor user accounts for unauthorized changes.
Original NVD description (English source)
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

