WordPress Plugin Vulnerabilities

Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools

Description

The plugin does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

Proof of Concept

Affects Plugins

Fixed in 1.4.26

References

Classification

Type
NO AUTHORISATION
CWE
CVSS

Miscellaneous

Original Researcher
Alessandro Greco aka Aleff, Giovanbattista Ianni (University of Calabria - UNICAL)
Submitter
Alessandro Greco aka Aleff
Verified
Yes

Timeline

Publicly Published
2026-06-10 (about 21 days ago)
Added
2026-06-10 (about 20 days ago)
Last Updated
2026-06-27 (about 3 days ago)

Other