CVE-2026-8935: WP MAPS PRO WordPress Plugin Unauthenticated AJAX Vulnerability (CVSS 9.8)

nick

CVE-2026-8935: WP MAPS PRO WordPress Plugin Unauthenticated AJAX Vulnerability (CVSS 9.8)

by

Critical Vulnerability — CVSS 9.8

CVE-2026-8935 is a critical-severity unauthenticated AJAX vulnerability in the WP MAPS PRO WordPress plugin.

CVSS Score: 9.8 (Critical) | Attack Complexity: Low | Privileges Required: None

Exploitation is trivial. A valid nonce is exposed on every frontend page, allowing any unauthenticated visitor to execute privileged AJAX actions remotely.

CVE-2026-8935 is a critical-severity unauthenticated AJAX vulnerability affecting the WP MAPS PRO WordPress plugin, a premium mapping and location plugin. The vulnerability allows any unauthenticated remote attacker to execute privileged AJAX actions that were intended only for authenticated users or administrators.

The root cause is a dual failure. First, WP MAPS PRO registers AJAX actions via wp_ajax_nopriv_* hooks, making them accessible to unauthenticated visitors, without performing authentication or capability checks inside the handler. Second, the plugin exposes a valid AJAX nonce on every frontend page, embedded in inline JavaScript. Any visitor can extract this nonce from the page source and invoke sensitive functionality with no authentication.

With a CVSS score of 9.8 (Critical) and Low attack complexity, this is one of the most straightforward-to-exploit WordPress plugin vulnerabilities disclosed in 2026.

What Is the Vulnerability

1. Unauthenticated AJAX Action Registration

WordPress plugins register AJAX handlers via wp_ajax_{action} for authenticated users and wp_ajax_nopriv_{action} for unauthenticated access. WP MAPS PRO registered privileged handlers via nopriv hooks without authentication checks in the callback. The handlers do not call is_user_logged_in() or current_user_can() and execute operations regardless of caller identity.

2. Nonce Exposure on Public Pages

WP MAPS PRO inlines its AJAX nonce into every frontend page via wp_localize_script(). Any visitor can view the page source, locate the nonce (stored in a predictable variable like wpmapspro_ajax_nonce), and craft a valid AJAX request.

The result: the AJAX endpoint is reachable without authentication, the nonce used for validation is publicly available, and no authentication check exists in the handler.

Versions Affected

  • WP MAPS PRO < 6.1.1 — Vulnerable
  • WP MAPS PRO 6.1.1 and later — Patched

Verify your version at Plugins → Installed Plugins in the WordPress admin dashboard.

Exploited?

CVE-2026-8935 is trivially exploitable. The attack requires:

  1. Visit any page on a target WordPress site running a vulnerable version.
  2. Extract the nonce from the page source (predictable inline JavaScript variable).
  3. Craft a POST request to /wp-admin/admin-ajax.php with the vulnerable action parameter and the extracted nonce.
  4. Execute privileged operations without authentication.
# Extract nonce from any frontend page
curl -s https://target-site.com/ | grep -oP 'wpmapspro_ajax_nonce\\s*=\\s*"[^"]+"'

# Execute vulnerable AJAX action
curl -X POST https://target-site.com/wp-admin/admin-ajax.php \
  -d 'action=vulnerable_action' \
  -d 'nonce=EXTRACTED_NONCE' \
  -d 'payload=...'

This profile makes CVE-2026-8935 attractive for automated exploitation at scale via WP-Scan, Nuclei, or botnets. The vulnerability is weaponisable by anyone with basic HTTP knowledge.

Fix

Resolved in WP MAPS PRO 6.1.1:

  1. Authentication enforcement: Privileged handlers now use wp_ajax_{action} or include is_user_logged_in() / current_user_can() checks.
  2. Nonce scope restriction: Nonces on frontend pages are scoped to non-privileged actions only.

Remediation:

  1. Update WP MAPS PRO to version 6.1.1 or later via Dashboard → Updates.
  2. Verify version 6.1.1+ in Installed Plugins.
  3. Clear all caches (page cache, CDN, object cache).

No effective workarounds exist. Disabling the plugin removes map functionality but is a temporary option if the update cannot be applied immediately.

Recommendations

  1. Update immediately. CVSS 9.8 with trivial unauthenticated exploitation demands emergency patching. Apply WP MAPS PRO 6.1.1 now.
  2. Conduct integrity checks. Review map marker data for unexpected modifications, check access logs for unusual admin-ajax.php POST requests with WP MAPS PRO action parameters, and verify administrator accounts.
  3. Audit plugins for similar patterns. Check all plugins that expose nonces via wp_localize_script() and verify those nonces cannot invoke privileged AJAX actions.
  4. Harden AJAX security. Use a WAF to monitor admin-ajax.php, ensure all handlers perform capability checks, and restrict nopriv registration to genuinely public actions.
  5. Monitor for exploitation in server logs, particularly automated requests with WP MAPS PRO action values.
  6. Keep all plugins updated. Enable automatic updates and maintain regular patch cycles for premium plugins.

References

Disclaimer: This information is provided for educational and defensive purposes only. Always verify details against official NVD entries, vendor advisories, and plugin changelogs before taking action in production environments.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!