Description
Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Royal MCP: from n/a through 1.4.25.
Published: 2026-06-25
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits users with incorrect or low access levels to perform actions reserved for higher‑privileged accounts. This broken access control can expose administrative interfaces, sensitive configuration data, and business logic controls. An attacker who can exercise these privileges may alter plugin settings, hijack user roles, or gain further system compromise.

Affected Systems

All installations of the WordPress Royal MCP plugin released up to and including version 1.4.25 are affected. The issue resides within Royal Plugins' Royal MCP component, which is installed on WordPress sites via the plugin marketplace or manual upload.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity flaw. While the EPSS score is currently not available, the lack of KEV listing suggests that the vulnerability is not yet widely exploited, yet the high score warrants caution. Based on the description, the likely attack vector is through the plugin's administrative controls or API endpoints that do not properly enforce role verification, allowing an attacker who can access these endpoints to elevate privileges or access sensitive information.

Generated by OpenCVE AI on June 25, 2026 at 15:29 UTC.

Remediation

Vendor Solution

Update the WordPress Royal MCP Plugin to the latest available version (at least 1.4.26).

OpenCVE Recommended Actions

  • Update the WordPress Royal MCP Plugin to version 1.4.26 or later to apply the vendor's fix.
  • Verify that the plugin’s settings enforce correct access control after the upgrade and correct any misconfigurations.
  • If the plugin is not essential, consider disabling or uninstalling it, or restrict its use to the minimum required user roles on the site.

Generated by OpenCVE AI on June 25, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Royal Plugins
Royal Plugins royal Mcp
Wordpress
Wordpress wordpress
Vendors & Products Royal Plugins
Royal Plugins royal Mcp
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25.
Title WordPress Royal MCP plugin <= 1.4.25 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Royal Plugins Royal Mcp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:09:32.720Z

Reserved: 2026-06-16T09:22:02.525Z

Link: CVE-2026-54842

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:30:16Z

Weaknesses