WordPress Plugin Vulnerabilities
Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools
Description
The plugin does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Alessandro Greco aka Aleff, Giovanbattista Ianni (University of Calabria - UNICAL)
Submitter
Alessandro Greco aka Aleff
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-10 (about 21 days ago)
Added
2026-06-10 (about 20 days ago)
Last Updated
2026-06-27 (about 3 days ago)