PT-2026-54493 · Undefined · Undefined

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-10750

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-10750

Affected Products

Undefined