Critical RCE Vulnerability in WordPress Plugin CVE-2026-6518

Severity: High (Score: 71.0)

Sources: nvd.nist.gov, Radar.Offseq

Summary

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes for WordPress has a critical vulnerability (CVE-2026-6518) affecting all versions up to 4.1.16. This vulnerability allows authenticated users with Administrator privileges to exploit the `cmp_theme_update_install` AJAX action, which improperly checks user capabilities, enabling arbitrary file uploads and remote code execution. Attackers can force the server to download and extract malicious ZIP files into a web-accessible directory, leading to full server compromise. Editors cannot exploit this vulnerability due to nonce protections. No patch or official fix has been released as of April 19, 2026. Security professionals are advised to restrict Administrator access and monitor for suspicious activity. Currently, there are no known exploits in the wild. The vulnerability was published on April 18, 2026. Key Points: • CVE-2026-6518 allows RCE via the CMP plugin for WordPress, affecting versions up to 4.1.16. • Authenticated users with Administrator access can exploit this vulnerability due to improper capability checks. • No patch is available; restrict access and monitor for suspicious activity related to the AJAX action.

Key Entities

• Zero-day Exploit (attack_type)
• CVE-2026-6518 (cve)
• Cwe-434 - Unrestricted Upload Of File With Dangerous Type (cwe)
• CWE-862 - Missing Authorization (cwe)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• WordPress (platform)