CVE-2026-54842
Deferred Deferred - Pending Action

Missing Authorization in Royal MCP

Vulnerability report for CVE-2026-54842, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Patchstack

Description

Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
royal_plugins royal_mcp From 1.0.0 (inc) to 1.4.25 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Royal Plugins Royal MCP involves missing authorization and broken access control, which can allow unprivileged users to perform higher-privileged actions. Such unauthorized access can lead to exposure or manipulation of sensitive data.

This type of security flaw can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls to protect personal and sensitive information. Failure to properly restrict access may result in unauthorized data disclosure or modification, potentially leading to regulatory violations and associated penalties.

Therefore, organizations using affected versions of the Royal MCP plugin should urgently update to a patched version to maintain compliance and reduce risk.

Executive Summary

CVE-2026-54842 is a Broken Access Control vulnerability in the WordPress Royal MCP Plugin versions 1.4.25 and below. It occurs due to missing authorization, authentication, or nonce token checks, which allows unprivileged users to perform actions that should require higher privileges.

This means that users without proper permissions can exploit the plugin to gain unauthorized access or perform restricted operations.

Impact Analysis

This vulnerability can have a severe impact as it allows attackers to perform higher-privileged actions without proper authorization.

  • Unauthorized users may gain control over sensitive functions or data within the affected website.
  • It can lead to data breaches, unauthorized changes, or disruption of website functionality.
  • Because of its high severity (CVSS score 8.1), it is likely to be targeted in mass-exploit campaigns affecting many websites.

Immediate action such as updating the plugin to version 1.4.26 or later is recommended to mitigate these risks.

Mitigation Strategies

Immediate action is recommended to mitigate the vulnerability in the Royal MCP plugin versions 1.4.25 and below.

  • Update the Royal MCP plugin to version 1.4.26 or later.
  • If updating is not possible, seek assistance from your hosting provider or web developer.
  • Apply the mitigation rule issued by Patchstack to block attacks until the plugin is updated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart