GHSA-j5mr-6rv3-xgwhCriticalCVSS 9.8

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which,...

Published
June 15, 2026
Last Modified
June 15, 2026

🔗 CVE IDs covered (1)

📋 Description

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

🔗 References (3)