Skip to main content

Royal MCP CVE-2026-54842

| EUVDEUVD-2026-39387 HIGH
Missing Authorization (CWE-862)
2026-06-25 Patchstack GHSA-7649-6hf2-rxrp
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable, low complexity, no interaction; PR:L because a logged-in low-privilege account is required; high C/I from unauthorized data read and modification, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:25 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Royal MCP: from n/a through 1.4.25.

AnalysisAI

Broken access control in the Royal MCP WordPress plugin (versions up to and including 1.4.25) lets authenticated low-privilege users reach functionality that should be restricted, due to a missing authorization check. With a CVSS of 8.1 and high confidentiality and integrity impact, an attacker holding even a basic account can read and alter data they should not be able to touch. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Exploit
Send request to unprotected Royal MCP endpoint
Execution
Bypass missing authorization check
Impact
Read or modify restricted data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session at low privilege (CVSS PR:L) - the attacker must hold a valid WordPress account, so the most exposed deployments are those with open registration enabled or with many low-trust users (subscribers, customers, members). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent and point to a real but not emergency-level priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege WordPress account (for example a subscriber on a site with open registration), then sends a crafted request directly to a Royal MCP action or endpoint that lacks a proper capability check. Because authorization is missing, the request succeeds and the attacker reads or modifies data normally reserved for higher-privileged roles. …
Remediation No vendor-released patch version is identified at time of analysis; the data only confirms versions through 1.4.25 are affected, so administrators should monitor the Royal Plugins changelog and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/royal-mcp/vulnerability/wordpress-royal-mcp-plugin-1-4-25-broken-access-control-vulnerability) and upgrade to the first release above 1.4.25 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit WordPress infrastructure to identify installations using Royal MCP plugin; disable the plugin immediately if non-critical, or restrict access to trusted administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy