WordPress Plugin Vulnerabilities

CMP < 4.1.17 - Admin+ Arbitrary File Upload and Remote Code Execution

Description

The plugin is vulnerable to arbitrary file upload and remote code execution via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.

Affects Plugins

Plugin icon
cmp-coming-soon-maintenance
Fixed in 4.1.17

References

CVE
CVE-2026-6518
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d6fb275b-dbba-46df-b170-977ef4a84c4c

Miscellaneous

Original Researcher
ll
Verified
No
WPVDB ID
be53e426-8cdb-4a94-a671-31ec834c1b92

Timeline

Publicly Published
2026-04-17 (about 26 days ago)
Added
2026-04-17 (about 26 days ago)
Last Updated
2026-04-17 (about 26 days ago)

Other

Published
Title
Published
2025-06-05
Title
Store Locator WordPress < 1.5.3 - Authenticated (Admin+) Arbitrary File Upload
Published
2021-04-02
Title
Business Hours Pro <= 5.5.0 - Unauthenticated Arbitrary File Upload to RCE
Published
2014-08-01
Title
open-flash-chart-core - ofc_upload_image.php Arbitrary File Upload
Published
2014-08-01
Title
Clockstone <= 1.2 - Arbitrary File Upload
Published
2024-10-30
Title
Stacks Mobile App Builder <= 5.2.3 - Unauthenticated Arbitrary File Upload