CVE-2026-6518

HIGH 8.8

CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.

CWE	CWE-434
Vendor	niteo
Product	cmp – coming soon & maintenance plugin by niteothemes
Published	Apr 18, 2026

Stay Ahead of the Next One

Get instant alerts for niteo cmp – coming soon & maintenance plugin by niteothemes

Be the first to know when new high vulnerabilities affecting niteo cmp – coming soon & maintenance plugin by niteothemes are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

niteo / CMP – Coming Soon & Maintenance Plugin by NiteoThemes

0 ≤ 4.1.16

References

NVD ↗ CVE.org ↗ EPSS Data ↗