CVE-2026-10750
Received Received - Intake

Royal MCP WordPress Plugin Privilege Escalation Vulnerability

Vulnerability report for CVE-2026-10750, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: WPScan

Description

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
royal_mcp plugin to 1.4.26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Royal MCP WordPress plugin before version 1.4.26 has a security flaw where it does not properly check user capabilities after token authentication. This means that users with low-privileged roles, such as Subscribers, can perform actions they should not be allowed to do.

  • They can read private content.
  • They can enumerate all users and their roles.
  • They can create, modify, or delete content owned by other users.

This vulnerability is classified as Broken Access Control and has a high severity with a CVSS score of 8.1.

Compliance Impact

The vulnerability in the Royal MCP WordPress plugin allows low-privileged authenticated users to access private content, enumerate users and their roles, and modify or delete content owned by others. This unauthorized access and modification of private data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Specifically, the failure to perform proper capability checks after token authentication constitutes broken access control, increasing the risk of data breaches and unauthorized data manipulation. Such incidents can result in non-compliance with standards that mandate confidentiality, integrity, and proper authorization mechanisms for protected data.

Impact Analysis

If you use the Royal MCP plugin before version 1.4.26, this vulnerability can allow low-privileged authenticated users to access and manipulate data they should not have access to.

  • Unauthorized reading of private content could lead to data leakage.
  • Enumerating users and their roles could aid attackers in planning further attacks.
  • Creating, modifying, or deleting content owned by other users could result in data integrity issues and potential loss of important information.

Overall, this could compromise the confidentiality, integrity, and availability of your WordPress site content.

Detection Guidance

This vulnerability involves insufficient authorization checks in the Royal MCP WordPress plugin prior to version 1.4.26, allowing low-privileged authenticated users to perform unauthorized actions.

To detect this vulnerability on your system, you can check the installed version of the Royal MCP plugin to see if it is older than 1.4.26.

Suggested commands to detect the vulnerable plugin version include:

  • Using WP-CLI to check plugin version: wp plugin list --status=active
  • Manually inspecting the plugin's readme or main PHP file for version information.
  • Reviewing user activity logs for suspicious actions by low-privileged users, such as reading private content or modifying other users' content.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Royal MCP WordPress plugin to version 1.4.26 or later, where the issue has been patched.

Additionally, review user roles and permissions to ensure that low-privileged users do not have unnecessary access.

If an immediate update is not possible, consider temporarily restricting access to the plugin's MCP tools or disabling the plugin until the patch can be applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart