Arbitrary File Upload and Remote Code Execution in NiteoThemes Plugin for WordPress
CVE-2026-6518

8.8HIGH

Key Information:

Vendor: WordPress
Status: Cmp – Coming Soon & Maintenance Plugin By Niteothemes
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-6518?

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes for WordPress is susceptible to arbitrary file upload and remote code execution vulnerabilities. This flaw arises from inadequate access control where the cmp_theme_update_install AJAX action only checks for publish_pages capability, allowing authenticated users with Administrator-level access to exploit the vulnerability. Attackers can force the server to download a malicious ZIP file from a remote source and extract it into a publicly accessible directory, potentially leading to unauthorized code execution. The lack of a proper nonce for Editors means they cannot exploit this vulnerability, but this highlights serious security oversights that could be leveraged by malicious actors with sufficient privileges.

Affected Version(s)

CMP – Coming Soon & Maintenance Plugin by NiteoThemes 0 <= 4.1.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cmp-coming-soo...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

CVE-2026-6518 Data

JSON