CVE-2026-6518
Received Received - Intake
Arbitrary File Upload in CMP Plugin Enables Remote Code Execution

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: Wordfence

Description
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6518
EUVD
EUVD-2026-23654
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
niteothemes cmp_coming_soon_&_maintenance_plugin to 4.1.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should update the CMP – Coming Soon & Maintenance Plugin by NiteoThemes to a version later than 4.1.16 where this issue is fixed.

Additionally, restrict plugin access to only trusted Administrator-level users, as the vulnerability requires at least Administrator privileges to exploit.

Consider monitoring and restricting the ability to perform AJAX actions related to `cmp_theme_update_install` to prevent unauthorized file uploads.

Executive Summary

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to and including 4.1.16. This occurs via the `cmp_theme_update_install` AJAX action because the function only checks for the `publish_pages` capability (which Editors and above have) instead of the more restrictive `manage_options` capability (Administrators only). Additionally, there is no proper validation of the user-supplied file URL and no verification of the downloaded file's content before extraction.

As a result, authenticated attackers with Administrator-level access or higher can force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), leading to remote code execution. Editors cannot exploit this vulnerability due to the lack of a nonce.

Impact Analysis

This vulnerability can allow an attacker with Administrator-level access to upload and execute arbitrary code on the affected WordPress server. This can lead to full compromise of the website, including unauthorized access, data theft, defacement, or using the server as a launchpad for further attacks.

Compliance Impact

This vulnerability allows authenticated attackers with Administrator-level access to execute arbitrary code on the server by uploading and extracting malicious files. Such unauthorized remote code execution can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive information.

Consequently, organizations using the affected plugin may face increased risks of non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly describe the direct impact on compliance or specific regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart