Overview
CVE-2026-6518 is a high-severity (CVSS 8.8) arbitrary file upload and remote code execution vulnerability in the CMP – Coming Soon & Maintenance Plugin developed by NiteoThemes for WordPress. The plugin, used to display maintenance and coming-soon pages on WordPress sites, fails to properly validate user capabilities before allowing theme installation via an AJAX endpoint.
Technical Details
The vulnerability exists in the cmp_theme_update_install AJAX action handler. The function is intended to allow administrators to install custom themes for the maintenance page, but the capability check is incorrectly implemented — it only verifies that the user has publish_pages permission rather than requiring a proper administrative capability like install_themes or manage_options.
The publish_pages capability is granted to the Subscriber role by some WordPress configurations and many membership/e-commerce plugins, making this vulnerability exploitable by any logged-in user in those setups.
Exploitation Chain
- An attacker registers or logs in as a subscriber-level account on the target WordPress site.
- The attacker crafts a malicious ZIP file containing a PHP webshell disguised as a WordPress theme.
- The attacker sends a POST request to
/wp-admin/admin-ajax.phpwith actioncmp_theme_update_installand the malicious ZIP as the theme payload. - The server extracts and installs the "theme" without adequate validation.
- The attacker accesses the uploaded PHP shell directly, achieving remote code execution with web server privileges.
Example Request
POST /wp-admin/admin-ajax.php HTTP/1.1
Cookie: wordpress_logged_in_...=subscriber_session_cookie
Content-Type: multipart/form-data; boundary=----boundary
------boundary
Content-Disposition: form-data; name="action"
cmp_theme_update_install
------boundary
Content-Disposition: form-data; name="themezip"; filename="malicious-theme.zip"
Content-Type: application/zip
[ZIP containing shell.php]
------boundary--Affected Versions
- CMP – Coming Soon & Maintenance Plugin versions 4.1.16 and earlier.
The plugin has over 100,000 active installations according to the WordPress plugin repository, making the potential attack surface significant.
Fix
NiteoThemes has released a patched version that corrects the capability check to require manage_options, restricting theme installation to site administrators only. Update via the WordPress admin dashboard or WP-CLI:
wp plugin update cmp-coming-soon-maintenanceImpact Assessment
| Factor | Detail |
|---|---|
| CVSS Score | 8.8 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (Subscriber) |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
Recommendations
- Update the CMP plugin to version 4.1.17 or later immediately.
- Audit user roles — check whether any non-administrative users have been granted
publish_pagescapability unexpectedly, especially via membership plugins. - Review uploaded files — scan the WordPress themes directory for any unrecognized or recently added theme folders, particularly those containing PHP files.
- Implement a WAF rule — block POST requests to
admin-ajax.phpwithaction=cmp_theme_update_installfrom non-administrator sessions as a temporary mitigation. - Disable user registration — if subscriber-level registration is not required, disable it to reduce the attack surface for this and similar subscriber-privilege-escalation vulnerabilities.
WordPress Plugin Security Context
Arbitrary file upload via misconfigured capability checks is one of the most common and dangerous vulnerability classes in the WordPress ecosystem. Plugin developers must use current_user_can('install_themes') or current_user_can('manage_options') for any action that installs, modifies, or uploads files to the server — not weaker capabilities like publish_pages that may be delegated to low-privileged roles.