CVE-2026-8935
Advanced Google Maps < 6.1.1 - Unauthenticated Administrator Account Creation
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · WP MAPS PROpublic PoCs found — 1
cve_referencewpscan.com/vulnerability/9bad9fc1-5032-45dc-983f-ba2dd7092385/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →