WordPress Plugin Vulnerabilities

Advanced Google Maps < 6.1.1 - Unauthenticated Administrator Account Creation

Description

The plugin registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

Proof of Concept

Affects Plugins

Plugin icon
wp-google-map-gold
Fixed in 6.1.1

References

CVE
CVE-2026-8935

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
9bad9fc1-5032-45dc-983f-ba2dd7092385

Timeline

Publicly Published
2026-05-25 (about 21 days ago)
Added
2026-05-25 (about 20 days ago)
Last Updated
2026-06-13 (about 1 day ago)

Other

Published
Title
Published
2017-10-31
Title
Shortcodes Ultimate <= 5.0.0 - Authenticated Contributor Code Execution
Published
2025-04-23
Title
Frontend Login and Registration Blocks < 1.0.9 - Subscriber+ Privilege Escalation via Password Reset
Published
2026-06-01
Title
Support Board < 3.8.9 - Unauthenticated Privilege Escalation
Published
2023-03-06
Title
Multiple e-plugins - Subscriber+ Privilege Escalation
Published
2026-02-26
Title
Listee < 1.1.7 - Unauthenticated Privilege Escalation