WP MAPS PRO Unauthenticated Admin Account Creation Flaw

WP MAPS PRO WordPress plugin versions before 6.1.1 contain a critical vulnerability allowing unauthenticated attackers to create administrator accounts and gain interactive admin access. The flaw stems from an improperly secured AJAX action that accepts a publicly visible nonce (emitted on any page loading the plugin's map script) and unconditionally creates admin accounts without authentication checks. With a CVSS score of 9.8, this affects any WordPress installation using the vulnerable plugin, immediately granting attackers the highest privilege level and complete site compromise. The attack requires no special reconnaissance—the nonce is broadcast to all visitors—making exploitation trivial and exploitation at scale feasible.

While this CVE currently maps to zero MITRE ATT&CK techniques and zero Casky skills, practitioners using Casky's Claude-powered platform with extended reasoning capabilities would detect the attack pattern through behavioral anomaly detection across multiple threat domains. The platform would identify indicators spanning T1078 (Valid Accounts - sudden admin account creation), T1547 (Boot or Logon Autostart Execution - persistent admin establishment), and T1098 (Account Manipulation - unauthorized account provisioning). Security teams would see findings flagged for: unauthenticated AJAX action execution, nonce reuse patterns, administrative account creation from external sources, privilege escalation without credential entry, and magic-link authentication bypassing standard login flows. As threat intelligence maps this vulnerability into MITRE's framework, Casky's skill library will expand to directly address these attack chains, enabling faster detection of similar AJAX security misconfigurations in WordPress ecosystems.