How is CVE-2026-8935 exploited?

Network reachability (required): The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS. Authentication (not-required): No account or credentials of any kind are needed; the endpoint accepts unauthenticated requests. Victim interaction (not-required): No victim action is required; the attacker calls the endpoint directly without any user involvement. Attack complexity (info): The exploit is reliable and condition-free: the required nonce is emitted in plaintext on any frontend page that loads the map script, making it trivially collectible before triggering the attack.

What is the impact of CVE-2026-8935?

Attacker creates a net-new WordPress administrator account and receives a ready-to-use magic login URL, gaining full interactive admin access immediately. With admin access, the attacker reads all stored site data including private posts, user records, API keys, and any credentials stored in the WordPress database. The attacker can install or modify plugins and themes to execute arbitrary server-side code, escalating beyond WordPress into the underlying container or host. All site content, configuration, and user data can be modified or deleted, including replacement of legitimate pages with attacker-controlled content.

Back to search

CRITICALCVE-2026-8935Published 2026-06-15Modified 2026-06-15CNA WPScan

CVE-2026-8935: Advanced Google Maps < 6.1.1 - Unauthenticated Administrator Account Creation

Q: What is CVE-2026-8935?

This is an authentication bypass and privilege escalation vulnerability in the WP MAPS PRO WordPress plugin (Advanced Google Maps) before version 6.1.1. An attacker with network access and no credentials can call an unauthenticated AJAX endpoint, supply a nonce that is publicly available on any frontend page loading the map script, and immediately receive a fully privileged administrator account plus a ready-to-use login URL. Successful exploitation gives the attacker complete administrative control over the WordPress site, including the ability to read all data, modify or delete content, and install arbitrary code. A patched-image rebuild at version 6.1.1 is available on HarborGuard for affected environments.

Q: How is CVE-2026-8935 fixed?

A patched-image rebuild pinned to WP MAPS PRO 6.1.1 becomes available in HarborGuard the moment the fix version is registered. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 6.1.1
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass and privilege escalation vulnerability in the WP MAPS PRO WordPress plugin (Advanced Google Maps) before version 6.1.1. An attacker with network access and no credentials can call an unauthenticated AJAX endpoint, supply a nonce that is publicly available on any frontend page loading the map script, and immediately receive a fully privileged administrator account plus a ready-to-use login URL. Successful exploitation gives the attacker complete administrative control over the WordPress site, including the ability to read all data, modify or delete content, and install arbitrary code. A patched-image rebuild at version 6.1.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including WPScan advisories, within minutes of publication and matched against customer images and build pipelines, including custom-built WordPress images bundling the plugin. No manual triage step is needed to surface affected images.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 (Critical) and is capable of weighting it further against each customer organization's per-environment compliance policy before routing the alert to the appropriate team inbox. The unauthenticated, zero-interaction exploit path is reflected in the triage context surfaced alongside the finding.

Available

Patch

A patched-image rebuild pinned to WP MAPS PRO 6.1.1 becomes available in HarborGuard the moment the fix version is registered. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS.
AuthenticationNot required
No account or credentials of any kind are needed; the endpoint accepts unauthenticated requests.
Victim interactionNot required
No victim action is required; the attacker calls the endpoint directly without any user involvement.
Attack complexityDetail
The exploit is reliable and condition-free: the required nonce is emitted in plaintext on any frontend page that loads the map script, making it trivially collectible before triggering the attack.

Blast Radius

Attacker creates a net-new WordPress administrator account and receives a ready-to-use magic login URL, gaining full interactive admin access immediately.
With admin access, the attacker reads all stored site data including private posts, user records, API keys, and any credentials stored in the WordPress database.
The attacker can install or modify plugins and themes to execute arbitrary server-side code, escalating beyond WordPress into the underlying container or host.
All site content, configuration, and user data can be modified or deleted, including replacement of legitimate pages with attacker-controlled content.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-8935 is active across all connected registries and CI pipelines, matching any image that bundles WP MAPS PRO below 6.1.1, including custom-built WordPress images. Given the Critical severity and zero-interaction exploit path, this CVE is surfaced at the top of the compliance queue for each affected environment. A rebuild at version 6.1.1 is available for environments running an affected image. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with remediation steps and the pinned fix version clearly identified.

See how HarborGuard automates this

Fix available

6.1.1

Affected packages

Unknown / WP MAPS PRO
< 6.1.1 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

wpscan.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available