CVE-2026-40775

Vulnerability

The Royal MCP plugin for WordPress versions up to and including 1.4.2 suffers from an unauthenticated broken access control vulnerability [1]. The issue is a missing authorization, authentication, or nonce token check in a function, allowing unprivileged users to execute higher privileged actions [1].

Exploitation

An attacker does not require authentication to exploit this vulnerability [1]. The vulnerability is expected to be used in mass-exploit campaigns, targeting thousands of websites regardless of size or popularity [1]. The exact sequence of steps is not detailed in the reference, but the lack of access control means an attacker can directly call the vulnerable function without any user interaction.

Impact

Successful exploitation allows an unauthenticated attacker to perform actions that should require higher privileges, potentially leading to full site compromise [1]. The CVSS score is 7.3 (High) [1].

Mitigation

The vulnerability is fixed in version 1.4.3 of the Royal MCP plugin [1]. Users are advised to update immediately. If unable to update, Patchstack provides a mitigation rule to block attacks until the patch is applied [1]. Auto-update can be enabled for vulnerable plugins [1].