Unauthenticated Access Control Flaw in Royal MCP Plugin by PatchStack
CVE-2026-40775

7.3HIGH

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
15 June 2026

What is CVE-2026-40775?

The Royal MCP plugin for WordPress exhibits a vulnerability stemming from unauthenticated broken access control in versions up to 1.4.2. This weakness may allow unauthorized users to access sensitive functionalities or data, creating potential security risks for websites that utilize this plugin. PatchStack provides insight into this issue, emphasizing the importance of updating to secure versions to mitigate the risk.

Affected Version(s)

Royal MCP <= 1.4.2

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alexis Lafontaine | Patchstack Bug Bounty Program
.