External risk intelligence

WP MAPS PRO Unauthenticated Admin Account Creation

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-8935

A vulnerability in the WP MAPS PRO WordPress plugin allows unauthenticated users to create an administrator account and gain full site access. This occurs because an AJAX action can be triggered with a publicly available nonce, leading to the unconditional creation of an admin account and a magic-login URL. This could

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-8935

The vulnerability affects a WordPress plugin that is designed to be embedded on public-facing frontend pages. Since the plugin's map script is intended for public interaction and the vulnerable AJAX action is reachable without authentication, it is by design exposed to the internet in any standard deployment where the map feature is enabled.

PCI scan relevance

PCI Relevance for CVE-2026-8935

Yes

CVE-2026-8935 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is PCI scan-relevant due to an unauthenticated administrator account creation vulnerability in the WP MAPS PRO WordPress plugin, which allows for interactive admin access.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in a popular WordPress plugin allows anyone to create an administrator account on a website without needing any credentials, simply by visiting a page where the plugin is active. This could lead to a complete takeover of the affected website.

Unauthenticated admin account creation is possible.
It allows unauthorized control over websites.
Confirm plugin relevance and exposure promptly.

Attack Path

How an attacker could exploit the issue

An attacker can create a new administrator account on a WordPress site by exploiting a vulnerability in the WP MAPS PRO plugin. This is possible because the plugin registers an unauthenticated AJAX action that can be triggered with a publicly available nonce. Once the administrator account is created, the attacker receives a magic-login URL that grants them full interactive administrative access to the site.

Attacker needs public access to a WordPress site.
Triggered by an unauthenticated AJAX request.
Leads to full administrator account takeover.

Live Threat

Current exploitation, exposure, and threat context

A publicly accessible WordPress plugin feature can allow an unauthenticated attacker to create a new administrator account on the website. This is possible by exploiting a registered AJAX action that, when provided with a valid nonce found on any page using the plugin's map script, will unconditionally create the administrator account and return a magic-login URL for immediate access.

Administrator accounts and site control.
Unauthenticated AJAX action execution.
Full site compromise.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The WP MAPS PRO WordPress plugin's unauthenticated AJAX action can lead to the creation of an administrator account, posing a critical risk. Identifying where this plugin is deployed, confirming its reachability and business criticality, and then locating the accountable owner are the initial steps for remediation planning.

Application owners should own this issue.
Verify plugin usage and exposure.
Plan remediation based on risk.

Frequently asked questions

What is the WP MAPS PRO plugin used for?

WP MAPS PRO is a WordPress plugin that enables website owners to display interactive maps and location-based data to their visitors. Because its core functionality involves rendering map scripts on frontend pages for user interaction, it is frequently embedded on public-facing areas of a website to provide store locators or visual guides.

How does CVE-2026-8935 allow unauthorized access?

This vulnerability is an Improper Access Control issue. The plugin includes an AJAX feature that lacks proper authentication checks. An attacker can leverage a publicly visible security token, known as a nonce, to trigger this action, which results in the automatic creation of a new administrator account and provides the attacker with a direct login link.

Do I need to be logged in for this to be triggered?

No. The vulnerability exists because the plugin's AJAX action is designed to be accessible to unauthenticated users. As long as a page on your site is enqueuing the plugin's map script, the necessary nonce is exposed to anyone who visits that page. The attack does not require any prior administrative permissions or secret credentials.

Is my site at risk if it uses WP MAPS PRO?

Yes, if you use a vulnerable version. According to Halo Surface Signal, this plugin is designed to be embedded on public-facing pages, meaning the vulnerable endpoint is reachable over the internet by default in standard deployments. If your site has the map feature enabled and active, it is exposed to this risk.

Why should I update my WP MAPS PRO plugin immediately?

Because this flaw grants an attacker full administrative control over your website, it represents a critical security risk. Your first step should be to verify if you are running a version earlier than 6.1.1. If so, prioritize updating to the latest secure version to remove the vulnerable AJAX action and prevent unauthorized account creation.

References

wpscan.com/vulnerability/9bad9fc1-5032-45dc-983f-ba2dd7092385/

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.