Critical RCE Vulnerability in WordPress Plugin CVE-2026-6518

Critical RCE Vulnerability in WordPress Plugin CVE-2026-6518

First seen 19 Apr 2026, 07:45 UTC Radar.Offseqnvd.nist.gov 72% similarity 71.0

Article Content

Browse articles
ThreatCluster

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes for WordPress has a critical vulnerability (CVE-2026-6518) affecting all versions up to 4.1.16. This vulnerability allows authenticated users with Administrator privileges to exploit the `cmp_theme_update_install` AJAX action, which improperly checks user capabilities, enabling arbitrary file uploads and remote code execution. Attackers can force the server to download and extract malicious ZIP files into a web-accessible directory, leading to full server compromise. Editors cannot exploit this vulnerability due to nonce protections. No patch or official fix has been released as of April 19, 2026. Security professionals are advised to restrict Administrator access and monitor for suspicious activity. Currently, there are no known exploits in the wild. The vulnerability was published on April 18, 2026.

Key Points: • CVE-2026-6518 allows RCE via the CMP plugin for WordPress, affecting versions up to 4.1.16. • Authenticated users with Administrator access can exploit this vulnerability due to improper capability checks. • No patch is available; restrict access and monitor for suspicious activity related to the AJAX action.

ThreatCluster AI

Timeline

2026-04-18
CVE-2026-6518 published
2026-04-19
Vulnerability reported in multiple cybersecurity articles

Community

Browse all →