CVE-2026-6518 (GCVE-0-2026-6518)
Vulnerability from cvelistv5
Published
2026-04-18 03:37
Modified
2026-04-20 13:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| niteo | CMP – Coming Soon & Maintenance Plugin by NiteoThemes |
Version: 0 ≤ 4.1.16 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:39:46.692921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:46:08.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CMP \u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes",
"vendor": "niteo",
"versions": [
{
"lessThanOrEqual": "4.1.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ll"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CMP \u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file\u0027s content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T03:37:04.707Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d6fb275b-dbba-46df-b170-977ef4a84c4c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1421"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1437"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1447"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcmp-coming-soon-maintenance/tags/4.1.16\u0026new_path=%2Fcmp-coming-soon-maintenance/tags/4.1.17"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-17T15:02:18.000Z",
"value": "Disclosed"
}
],
"title": "CMP \u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes \u003c= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6518",
"datePublished": "2026-04-18T03:37:04.707Z",
"dateReserved": "2026-04-17T15:01:57.890Z",
"dateUpdated": "2026-04-20T13:46:08.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6518\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-20T13:39:46.692921Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-20T13:44:56.456Z\"}}], \"cna\": {\"title\": \"CMP \\u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes \u003c= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"ll\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"niteo\", \"product\": \"CMP \\u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.1.16\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-04-17T15:02:18.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/d6fb275b-dbba-46df-b170-977ef4a84c4c?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1421\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1437\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1447\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?old_path=%2Fcmp-coming-soon-maintenance/tags/4.1.16\u0026new_path=%2Fcmp-coming-soon-maintenance/tags/4.1.17\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The CMP \\u2013 Coming Soon \u0026 Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file\u0027s content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434 Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-18T03:37:04.707Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-6518\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-20T13:46:08.222Z\", \"dateReserved\": \"2026-04-17T15:01:57.890Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-04-18T03:37:04.707Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…