CVE-2026-6518 (GCVE-0-2026-6518)

Vulnerability from cvelistv5 – Published: 2026-04-18 03:37 – Updated: 2026-04-18 03:37
VLAI?
Title
CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution
Summary
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
niteo CMP – Coming Soon & Maintenance Plugin by NiteoThemes Affected: 0 , ≤ 4.1.16 (semver)
Create a notification for this product.
Credits
ll
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CMP \u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes",
          "vendor": "niteo",
          "versions": [
            {
              "lessThanOrEqual": "4.1.16",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ll"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The CMP \u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file\u0027s content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-18T03:37:04.707Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d6fb275b-dbba-46df-b170-977ef4a84c4c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1421"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1437"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1447"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcmp-coming-soon-maintenance/tags/4.1.16\u0026new_path=%2Fcmp-coming-soon-maintenance/tags/4.1.17"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-17T15:02:18.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "CMP \u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes \u003c= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-6518",
    "datePublished": "2026-04-18T03:37:04.707Z",
    "dateReserved": "2026-04-17T15:01:57.890Z",
    "dateUpdated": "2026-04-18T03:37:04.707Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-6518",
      "date": "2026-04-19",
      "epss": "0.0007",
      "percentile": "0.2152"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-6518\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-04-18T05:16:24.377\",\"lastModified\":\"2026-04-18T05:16:24.377\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The CMP \u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file\u0027s content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1421\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1437\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1447\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?old_path=%2Fcmp-coming-soon-maintenance/tags/4.1.16\u0026new_path=%2Fcmp-coming-soon-maintenance/tags/4.1.17\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/d6fb275b-dbba-46df-b170-977ef4a84c4c?source=cve\",\"source\":\"security@wordfence.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.