Token Authentication Bypass in Royal MCP WordPress Plugin
CVE-2026-10750
Key Information:
Badges
What is CVE-2026-10750?
The Royal MCP WordPress plugin prior to version 1.4.26 lacks sufficient capability checks following token authentication. This deficiency permits authenticated users, even those with low-privileged roles such as Subscribers, to access private content, enumerate users and their roles, and manipulate content owned by other users. This vulnerability poses a serious risk of unauthorized access and content manipulation within the WordPress environment.
Affected Version(s)
Royal MCP 0 < 1.4.26
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved