Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (Patchstack) · only source for this CVE.
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions.
AnalysisAI
Broken access control in the Royal MCP WordPress plugin (versions 1.4.2 and earlier) allows remote attackers to invoke protected functionality without proper authorization checks. The flaw, classified as CWE-862 (Missing Authorization), was reported by Patchstack and tracked as EUVD-2026-36984. No public exploit identified at time of analysis, and the CVSS 7.3 score reflects low-complexity network exploitation with partial impact across confidentiality, integrity, and availability.
Broken access control in the Royal MCP WordPress plugin before 1.4.26 lets any authenticated low-privileged user (e.g. S
Broken access control in the Royal MCP WordPress plugin (versions up to and including 1.4.25) lets authenticated low-pri
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36984
GHSA-45gp-ghq2-mh75