CVE-2026-6518

Name of the Vulnerable Software and Affected Versions CMP – Coming Soon & Maintenance Plugin by NiteoThemes versions prior to 4.1.17

Description The plugin allows arbitrary file upload and remote code execution through the 'cmp theme update install' AJAX action. The issue occurs because the cmp theme update install() function verifies the publish pages capability instead of the manage options capability, and fails to validate the user-supplied file URL or the content of the downloaded file before extraction. Authenticated attackers with Administrator-level access can force the server to download and extract a malicious ZIP file from a remote URL into the 'wp-content/plugins/cmp-premium-themes/' directory, leading to remote code execution.

Recommendations Update the plugin to a version later than 4.1.16.