Impact
Based on the description, the unauthenticated broken access control could allow an attacker to perform actions normally reserved for authenticated users, possibly leading to unauthorized data access or modification. Based on the description, the vulnerability originates from improper authorization checks in the Royal MCP plugin, which may allow privileged operations without credential verification. Based on the description, it is inferred that this flaw could compromise the confidentiality, integrity, and availability of site data.
Affected Systems
WordPress installations that include the Royal MCP plugin version 1.4.2 or earlier. Royal Plugins, the provider of the plugin, is the only vendor identified. All sites running these versions remain vulnerable until the plugin is updated beyond 1.4.2.
Risk and Exploitability
The CVSS score of 7.3 indicates a high severity vulnerability. The EPSS score of < 1% suggests a low probability of exploitation at present, and the flaw is not listed in CISA KEV. Based on the description, the likely attack vector involves unauthenticated HTTP requests to privileged plugin endpoints, allowing attackers to perform restricted actions without needing valid credentials.
OpenCVE Enrichment