CVE-2026-6518
Arbitrary File Upload in CMP Plugin Enables Remote Code Execution
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| niteothemes | cmp_coming_soon_&_maintenance_plugin | to 4.1.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CMP β Coming Soon & Maintenance Plugin by NiteoThemes for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to and including 4.1.16. This occurs via the `cmp_theme_update_install` AJAX action because the function only checks for the `publish_pages` capability (which Editors and above have) instead of the more restrictive `manage_options` capability (Administrators only). Additionally, there is no proper validation of the user-supplied file URL and no verification of the downloaded file's content before extraction.
As a result, authenticated attackers with Administrator-level access or higher can force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), leading to remote code execution. Editors cannot exploit this vulnerability due to the lack of a nonce.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the CMP β Coming Soon & Maintenance Plugin by NiteoThemes to a version later than 4.1.16 where this issue is fixed.
Additionally, restrict plugin access to only trusted Administrator-level users, as the vulnerability requires at least Administrator privileges to exploit.
Consider monitoring and restricting the ability to perform AJAX actions related to `cmp_theme_update_install` to prevent unauthorized file uploads.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Administrator-level access to upload and execute arbitrary code on the affected WordPress server. This can lead to full compromise of the website, including unauthorized access, data theft, defacement, or using the server as a launchpad for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers with Administrator-level access to execute arbitrary code on the server by uploading and extracting malicious files. Such unauthorized remote code execution can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive information.
Consequently, organizations using the affected plugin may face increased risks of non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
However, the provided information does not explicitly describe the direct impact on compliance or specific regulatory consequences.