What the vulnerability does
01Description
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.
Explanation of Vulnerability in Simple Terms
02Summary
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes versions 4.1.16 and earlier allows authenticated users with low privileges to upload files without proper validation. An attacker can upload malicious files to the site, potentially including PHP code that executes on the server. This vulnerability affects all installations of the plugin up to the stated version.
What an attacker can do
03Attacker Capabilities
Upload malicious files (including PHP code) to the site and execute them on the server.
Potential impact on your site
04Site Impact
Attackers with basic user accounts can compromise your site by uploading and running malicious code, leading to data theft or site takeover.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the WordPress site (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
April 18, 2026
CVE published
April 20, 2026
Record updated