WordPress Plugin RCE: CMP Coming Soon & Maintenance Vulnerability

The National Vulnerability Database has disclosed CVE-2026-6518, impacting the CMP – Coming Soon & Maintenance Plugin by NiteoThemes for WordPress. This critical vulnerability, present in all versions up to and including 4.1.16, allows for arbitrary file upload and remote code execution through the cmp_theme_update_install AJAX action. The root cause lies in insufficient capability checks and a severe lack of validation for user-supplied file URLs.

Specifically, the function validates against the publish_pages capability, which is accessible to Editors, rather than the more restrictive manage_options for Administrators. Coupled with no proper verification of the downloaded file’s content before extraction, an authenticated attacker with Administrator-level access can force the server to download a malicious ZIP file from a remote, attacker-controlled URL. This file is then extracted into a web-accessible directory (wp-content/plugins/cmp-premium-themes/), leading directly to remote code execution. While Editors possess the necessary capability, the absence of a nonce prevents them from exploiting this specific vector. The CVSS score for this vulnerability is a high 8.8.

This is a classic case of privilege escalation combined with a dangerous lack of input validation. Attackers understand that WordPress installations are often managed by multiple users with varying roles. Targeting a capability available to ‘Editors’ rather than strictly ‘Administrators’ significantly broadens the attack surface for internal threats or compromised accounts. The arbitrary file upload combined with code execution means full system compromise is trivial once an attacker gains initial access, even if it’s not administrative.