Skip to main content

Royal Mcp

3 CVEs product

Monthly

CVE-2026-10750 HIGH POC PATCH This Week

Broken access control in the Royal MCP WordPress plugin before 1.4.26 lets any authenticated low-privileged user (e.g. Subscriber) invoke privileged MCP tools that skip capability checks after token authentication, exposing private content, full user/role enumeration, and create/modify/delete operations on other users' content. Reported by WPScan with a publicly available exploit and a vendor patch in 1.4.26; the CVSS 8.1 vector (PR:L) confirms authenticated but not administrative access is required. There is no public exploit identified as actively exploited - status is POC only, not CISA KEV.

WordPress Information Disclosure Royal Mcp
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-54842 HIGH This Week

Broken access control in the Royal MCP WordPress plugin (versions up to and including 1.4.25) lets authenticated low-privilege users reach functionality that should be restricted, due to a missing authorization check. With a CVSS of 8.1 and high confidentiality and integrity impact, an attacker holding even a basic account can read and alter data they should not be able to touch. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Royal Mcp
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-40775 HIGH This Week

Broken access control in the Royal MCP WordPress plugin (versions 1.4.2 and earlier) allows remote attackers to invoke protected functionality without proper authorization checks. The flaw, classified as CWE-862 (Missing Authorization), was reported by Patchstack and tracked as EUVD-2026-36984. No public exploit identified at time of analysis, and the CVSS 7.3 score reflects low-complexity network exploitation with partial impact across confidentiality, integrity, and availability.

Authentication Bypass Royal Mcp
NVD
CVSS 3.1
7.3
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Broken access control in the Royal MCP WordPress plugin before 1.4.26 lets any authenticated low-privileged user (e.g. Subscriber) invoke privileged MCP tools that skip capability checks after token authentication, exposing private content, full user/role enumeration, and create/modify/delete operations on other users' content. Reported by WPScan with a publicly available exploit and a vendor patch in 1.4.26; the CVSS 8.1 vector (PR:L) confirms authenticated but not administrative access is required. There is no public exploit identified as actively exploited - status is POC only, not CISA KEV.

WordPress Information Disclosure Royal Mcp
NVD WPScan VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Broken access control in the Royal MCP WordPress plugin (versions up to and including 1.4.25) lets authenticated low-privilege users reach functionality that should be restricted, due to a missing authorization check. With a CVSS of 8.1 and high confidentiality and integrity impact, an attacker holding even a basic account can read and alter data they should not be able to touch. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Royal Mcp
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Broken access control in the Royal MCP WordPress plugin (versions 1.4.2 and earlier) allows remote attackers to invoke protected functionality without proper authorization checks. The flaw, classified as CWE-862 (Missing Authorization), was reported by Patchstack and tracked as EUVD-2026-36984. No public exploit identified at time of analysis, and the CVSS 7.3 score reflects low-complexity network exploitation with partial impact across confidentiality, integrity, and availability.

Authentication Bypass Royal Mcp
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy