CVE-2026-6518 HIGH

CVE-2026-6518: CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution

Vendor Niteo
Product CMP – Coming Soon & Maintenance Plugin by NiteoThemes
Weakness CWE-434 · Unrestricted file upload
Published April 18, 2026
Last update April 20, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.

Explanation of Vulnerability in Simple Terms

02Summary

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes versions 4.1.16 and earlier allows authenticated users with low privileges to upload files without proper validation. An attacker can upload malicious files to the site, potentially including PHP code that executes on the server. This vulnerability affects all installations of the plugin up to the stated version.

What an attacker can do

03Attacker Capabilities

Upload malicious files (including PHP code) to the site and execute them on the server.

Potential impact on your site

04Site Impact

Attackers with basic user accounts can compromise your site by uploading and running malicious code, leading to data theft or site takeover.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the WordPress site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

April 18, 2026 CVE published
April 20, 2026 Record updated