Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-8935

CVE-2026-8935: WP MAPS PRO Auth Bypass Vulnerability

CVE-2026-8935 is an authentication bypass flaw in WP MAPS PRO WordPress plugin that allows attackers to create admin accounts and gain full site access. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-8935 Overview

CVE-2026-8935 affects the WP MAPS PRO WordPress plugin in versions prior to 6.1.1. The plugin registers an unauthenticated AJAX action that creates an administrator account when invoked with a valid nonce. That nonce is publicly emitted on any frontend page that enqueues the plugin's map script. After account creation, the endpoint returns a magic-login URL that grants interactive administrator access to the WordPress site.

The vulnerability allows full site takeover by any unauthenticated attacker who can reach a public page rendering a map. It combines broken access control with an authentication bypass through privileged account provisioning.

Critical Impact

An unauthenticated remote attacker can create a WordPress administrator account and obtain a magic-login URL, resulting in full site compromise.

Affected Products

  • WP MAPS PRO WordPress plugin versions before 6.1.1
  • WordPress sites enqueuing the WP MAPS PRO map script on any public page
  • Any frontend route that exposes the plugin's nonce to unauthenticated visitors

Discovery Timeline

  • 2026-06-15 - CVE-2026-8935 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-8935

Vulnerability Analysis

The plugin exposes an AJAX action through the WordPress wp-admin/admin-ajax.php interface without an authentication check. The handler validates only a WordPress nonce before performing privileged actions. WordPress nonces are not secrets when emitted on unauthenticated frontend pages, so this control fails to gate the endpoint.

When the plugin enqueues its map script on a public page, it localizes the nonce into the page output. An attacker scrapes the nonce from the HTML or JavaScript bootstrap data and replays it against the AJAX endpoint. The handler unconditionally creates a new user with the administrator role and returns a magic-login URL. The attacker follows that URL and obtains an authenticated administrator session without supplying a password.

This is classified as Broken Access Control combined with Authentication Bypass. The plugin treats nonce possession as proof of authorization, but nonces are intended only as CSRF tokens, not as authentication or authorization primitives.

Root Cause

The AJAX handler is registered using wp_ajax_nopriv_*, which permits unauthenticated invocation. The handler then relies solely on check_ajax_referer() for access control and proceeds to call wp_insert_user() with the administrator role. There is no capability check, no input validation on the requested role, and no rate limiting on account creation.

Attack Vector

The attack requires only network access to a vulnerable site that renders the plugin's map on a public page. The attacker fetches a public page to harvest the nonce, then issues an unauthenticated POST to the AJAX endpoint with that nonce. The response contains the magic-login URL. The attacker visits the URL and inherits administrator privileges, after which arbitrary plugin installation, theme upload, and remote code execution through PHP-capable assets become trivial. No user interaction or social engineering is required.

No verified public proof-of-concept code is currently associated with this CVE. Refer to the WPScan Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-8935

Indicators of Compromise

  • Unexpected WordPress user accounts with the administrator role created from external IP addresses
  • POST requests to /wp-admin/admin-ajax.php from unauthenticated sources referencing WP MAPS PRO AJAX actions
  • Successful logins immediately following a 200 response to the plugin's AJAX endpoint, originating from the same source IP
  • Sudden plugin or theme uploads, file edits in wp-content/, or new scheduled tasks shortly after account creation

Detection Strategies

  • Inspect the wp_users and wp_usermeta tables for accounts created after the plugin was installed and correlate creation timestamps with access logs
  • Alert on any HTTP 200 response from admin-ajax.php where the request body invokes the plugin's action and originates from an unauthenticated session
  • Monitor for magic-login URL patterns in outbound responses from the WordPress server to non-administrative client IPs

Monitoring Recommendations

  • Forward WordPress access logs and audit logs to a centralized analytics platform for correlation against authentication events
  • Enable a security plugin or web application firewall that records user creation events with source IP, user agent, and request URI
  • Track new administrator role assignments through scheduled database queries and alert on any change outside of an approved change window

How to Mitigate CVE-2026-8935

Immediate Actions Required

  • Update the WP MAPS PRO plugin to version 6.1.1 or later on all WordPress installations
  • Audit the wp_users table for unauthorized administrator accounts and remove any that cannot be tied to a legitimate operator
  • Rotate credentials, application passwords, and API keys for all remaining administrator accounts after the update
  • Review installed plugins, themes, and wp-content files for backdoors introduced during any potential pre-patch exposure window

Patch Information

The vendor addressed CVE-2026-8935 in WP MAPS PRO version 6.1.1. Site operators should upgrade through the WordPress plugin updater or by deploying the latest plugin package from the vendor. Confirm the installed version in the WordPress admin dashboard under Plugins after the update completes. Additional details are available in the WPScan Vulnerability Report.

Workarounds

  • Deactivate and remove the WP MAPS PRO plugin until the update to 6.1.1 can be applied
  • Block external requests to wp-admin/admin-ajax.php that target the plugin's action names at the web application firewall layer
  • Restrict administrator account creation through a hardening plugin or mu-plugin that filters wp_insert_user() calls and rejects unsolicited role assignments
  • Remove the plugin's map shortcode from publicly accessible pages to suppress nonce emission until patching is complete
bash
# Example WAF rule concept blocking unauthenticated calls to the vulnerable AJAX action
# Replace <plugin_action> with the specific action name identified in plugin source
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" \
  "chain,deny,status:403,id:1026893501,msg:'Block WP MAPS PRO unauth AJAX (CVE-2026-8935)'"
SecRule ARGS:action "@streq <plugin_action>" \
  "chain"
SecRule &REQUEST_COOKIES:wordpress_logged_in "@eq 0"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne