Description
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.
Published: 2026-04-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The WP plugin CMP – Coming Soon & Maintenance is vulnerable to an arbitrary file upload that can lead to remote code execution. The flaw resides in the AJAX action that accepts a user‑supplied URL without validating its content or file type. When invoked, the plugin downloads a ZIP archive from the attacker’s URL, extracts it into a web‑accessible directory, and executes any PHP code it contains. This functionality is guarded only by a `publish_pages` capability check, which grants access to Editors and higher roles, thus enabling attackers with Administrator privileges to upload malicious payloads. The weakness is a classic insecure file upload flaw (CWE‑434) where the server fails to restrict input and verify the integrity of the downloaded content.

Affected Systems

WordPress sites running the CMP – Coming Soon & Maintenance plugin from NiteoThemes version 4.1.16 or earlier are affected. The only affected component is the plugin itself; the vulnerability does not require modification of core WordPress files. All installations of the plugin, regardless of site size, that have not upgraded past 4.1.16 are at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, with potential to gain arbitrary code execution on the web server. Because the exploitation requires authenticated access with Administrative privileges, the attack surface is limited to users who have already compromised or legitimately possess such roles. The EPSS score is not available, so an assessment of real‑world exploitation probability cannot be provided. The vulnerability is not listed in the CISA KEV catalog, but the combination of a high CVSS score and vulnerable code paths suggests the risk is significant for any site that has not applied the latest fix. Attackers would typically deliver a malicious ZIP via the AJAX endpoint, triggering the download and extraction, which then results in a RCE in the web root. No nonce requirement for Editors blocks lower‑privileged users from executing the exploit. The path to exploitation is publicly documented in the source references. Therefore, sites should treat this as a high‑priority issue.

Generated by OpenCVE AI on April 18, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CMP – Coming Soon & Maintenance plugin to version 4.1.17 or later
  • Configure the plugin to restrict file uploads to whitelisted MIME types and prevent remote URL fetching, or disable the `cmp_theme_update_install` AJAX action on non‑admin pages
  • Ensure that the web server’s permissions on wp-content/plugins/cmp-premium-themes/ block execution of files uploaded by the plugin (e.g., set .htaccess deny or disable PHP execution in that directory)

Generated by OpenCVE AI on April 18, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Niteo
Niteo cmp – Coming Soon & Maintenance Plugin By Niteothemes
Wordpress
Wordpress wordpress
Vendors & Products Niteo
Niteo cmp – Coming Soon & Maintenance Plugin By Niteothemes
Wordpress
Wordpress wordpress

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.
Title CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Niteo Cmp – Coming Soon & Maintenance Plugin By Niteothemes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-20T13:46:08.222Z

Reserved: 2026-04-17T15:01:57.890Z

Link: CVE-2026-6518

cve-icon Vulnrichment

Updated: 2026-04-20T13:44:56.456Z

cve-icon NVD

Status : Received

Published: 2026-04-18T05:16:24.377

Modified: 2026-04-18T05:16:24.377

Link: CVE-2026-6518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:58:47Z

Weaknesses