Back to overview

CVE-2026-10750

HIGH Exploitation: PoC
8.1
CVSS 3.1
Description
The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

Metadata

CVE ID
CVE-2026-10750
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-03 13:54 UTC
Published
2026-07-01 06:00 UTC
Last updated
2026-07-01 10:20 UTC
Vendor / Product
Unknown / Royal MCP
Sources
cve.org  ·  NVD

Severity & Metrics

8.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Unknown Royal MCP 0 < 1.4.26
Weakness (CWE)
CWESourceDescription
cna CWE-862 Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.1 HIGH 3.1 adp CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Back to overview