CVE Catalog

CVE-2026-10750

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

The Royal MCP WordPress plugin before version 1.4.26 does not perform capability checks on most of its MCP tools after token authentication, allowing authenticated users with low-privileged roles such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

Risk Assessment

The organization is at risk of confidential data leakage, unauthorized access to content, and content manipulation by unauthorized users, potentially compromising system integrity and confidentiality.

Recommendation

Immediately update the Royal MCP plugin to version 1.4.26 or later, and review and restrict user permissions, especially for users with the Subscriber role.

Original NVD description (English source)

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS