๐Ÿ” CVE Alert

CVE-2026-10750

UNKNOWN 0.0

Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

Vendor unknown
Product royal mcp
Published Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for unknown royal mcp

Be the first to know when new unknown vulnerabilities affecting unknown royal mcp are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Royal MCP
0 < 1.4.26

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/8678ef91-ff05-43a1-a8e3-6d35da548826/

Credits

Alessandro Greco aka Aleff WPScan