CVE-2026-10750
Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.
| Vendor | unknown |
| Product | royal mcp |
| Published | Jul 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown royal mcp
Be the first to know when new unknown vulnerabilities affecting unknown royal mcp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Royal MCP
0 < 1.4.26
References
Credits
Alessandro Greco aka Aleff WPScan