CVE Catalog

CVE-2026-8935

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

The WP MAPS PRO WordPress plugin before version 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

Risk Assessment

The organization may be exposed to unauthorized access to the administrator account, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to update the WP MAPS PRO plugin to version 6.1.1 or later and to review and monitor user accounts for unauthorized changes.

Original NVD description (English source)

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS