Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1945+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-6518: WordPress CMP Plugin Arbitrary File Upload
CVE-2026-6518: WordPress CMP Plugin Arbitrary File Upload
SECURITYHIGHCVE-2026-6518

CVE-2026-6518: WordPress CMP Plugin Arbitrary File Upload

The CMP Coming Soon & Maintenance Plugin for WordPress contains a critical arbitrary file upload flaw that allows subscriber-level authenticated users to...

Dylan H.

Security Team

April 18, 2026
3 min read

Affected Products

  • CMP – Coming Soon & Maintenance Plugin by NiteoThemes versions up to and including 4.1.16

Overview

CVE-2026-6518 is a high-severity (CVSS 8.8) arbitrary file upload and remote code execution vulnerability in the CMP – Coming Soon & Maintenance Plugin developed by NiteoThemes for WordPress. The plugin, used to display maintenance and coming-soon pages on WordPress sites, fails to properly validate user capabilities before allowing theme installation via an AJAX endpoint.

Technical Details

The vulnerability exists in the cmp_theme_update_install AJAX action handler. The function is intended to allow administrators to install custom themes for the maintenance page, but the capability check is incorrectly implemented — it only verifies that the user has publish_pages permission rather than requiring a proper administrative capability like install_themes or manage_options.

The publish_pages capability is granted to the Subscriber role by some WordPress configurations and many membership/e-commerce plugins, making this vulnerability exploitable by any logged-in user in those setups.

Exploitation Chain

  1. An attacker registers or logs in as a subscriber-level account on the target WordPress site.
  2. The attacker crafts a malicious ZIP file containing a PHP webshell disguised as a WordPress theme.
  3. The attacker sends a POST request to /wp-admin/admin-ajax.php with action cmp_theme_update_install and the malicious ZIP as the theme payload.
  4. The server extracts and installs the "theme" without adequate validation.
  5. The attacker accesses the uploaded PHP shell directly, achieving remote code execution with web server privileges.

Example Request

POST /wp-admin/admin-ajax.php HTTP/1.1
Cookie: wordpress_logged_in_...=subscriber_session_cookie
Content-Type: multipart/form-data; boundary=----boundary
 
------boundary
Content-Disposition: form-data; name="action"
 
cmp_theme_update_install
------boundary
Content-Disposition: form-data; name="themezip"; filename="malicious-theme.zip"
Content-Type: application/zip
 
[ZIP containing shell.php]
------boundary--

Affected Versions

  • CMP – Coming Soon & Maintenance Plugin versions 4.1.16 and earlier.

The plugin has over 100,000 active installations according to the WordPress plugin repository, making the potential attack surface significant.

Fix

NiteoThemes has released a patched version that corrects the capability check to require manage_options, restricting theme installation to site administrators only. Update via the WordPress admin dashboard or WP-CLI:

wp plugin update cmp-coming-soon-maintenance

Impact Assessment

FactorDetail
CVSS Score8.8 (High)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow (Subscriber)
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

Recommendations

  • Update the CMP plugin to version 4.1.17 or later immediately.
  • Audit user roles — check whether any non-administrative users have been granted publish_pages capability unexpectedly, especially via membership plugins.
  • Review uploaded files — scan the WordPress themes directory for any unrecognized or recently added theme folders, particularly those containing PHP files.
  • Implement a WAF rule — block POST requests to admin-ajax.php with action=cmp_theme_update_install from non-administrator sessions as a temporary mitigation.
  • Disable user registration — if subscriber-level registration is not required, disable it to reduce the attack surface for this and similar subscriber-privilege-escalation vulnerabilities.

WordPress Plugin Security Context

Arbitrary file upload via misconfigured capability checks is one of the most common and dangerous vulnerability classes in the WordPress ecosystem. Plugin developers must use current_user_can('install_themes') or current_user_can('manage_options') for any action that installs, modifies, or uploads files to the server — not weaker capabilities like publish_pages that may be delegated to low-privileged roles.

References

  • NVD: CVE-2026-6518
  • WordPress Plugin: CMP – Coming Soon & Maintenance
  • WordPress Capability Reference

Related Reading

  • CVE-2015-20115: RealtyScript 4.0.2 Stored XSS via File
  • CVE-2025-2749: Kentico Xperience Path Traversal
  • CVE-2026-3445: ProfilePress WordPress Plugin Allows
#CVE#Vulnerability#WordPress#File Upload#Remote Code Execution#Plugin

Related Articles

CVE-2026-7515: BetterDocs Pro WordPress Plugin — Unauthenticated Local File Inclusion

A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin (up to v3.8.0) allows unauthenticated attackers to include and...

6 min read

CVE-2026-11964: WordPress User Registration Plugin PayPal Webhook Bypass

The User Registration & Membership WordPress plugin before 5.2.2 fails to verify PayPal webhook signatures, allowing unauthenticated attackers to forge payment events and gain free premium memberships.

3 min read

CVE-2026-48939: iCagenda Unrestricted File Upload Allows PHP Code Execution

A critical unrestricted file upload vulnerability in the iCagenda Joomla event calendar plugin allows unauthenticated attackers to upload arbitrary PHP...

3 min read
Back to all Security Alerts