CVE Tools
Home/Vulnerability/CVE-2026-6518

CVE-2026-6518

CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution

Published: Apr 18, 2026Updated: Apr 18, 2026 Sources: CVE List NVD
NVD MITRE
8.8CVSS
HIGH

The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.

EPSS Score
0.1%
Top 78.5%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
No Fix Available

CVSS Vector Breakdown

AV:NAC:LPR:LUI:NS:UC:HI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

CWE-434

Affected Products

CMP – Coming Soon & Maintenance Plugin by NiteoThemes
niteo

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

No known exploits, KEV entries, or remediation guidance available for this vulnerability yet.

MITRE ATT&CK

3 techniques
Command and Control
Initial Access
Persistence
View detailed technique mapping

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/d6fb275b-dbba-46df-b170-977ef4a84c4c?source=cve
wordfence.com
https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1421
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/niteo-cmp.php#L1437
plugins.trac.wordpress.org
and 2 more references View all →

Timeline

Published
Apr 18, 2026
Last Updated
Apr 18, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-6518 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
AI-powered analysis
Plain-language impact assessment and exploitation scenario
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows