Security Alert Summary
The Royal MCP WordPress plugin before 1.4.26 fails to perform capability checks on most of its MCP tools after token authentication. This allows authenticated users with low-privileged roles, such as Subscriber, to read private content, enumerate users and their roles, and create, modify, or delete content owned by other users.
CVE Details
- CVE ID: CVE-2026-10750
- Affected component: Royal MCP WordPress plugin
- Affected versions: Versions prior to 1.4.26 (less than 1.4.26)
- Published: July 1, 2026 at 7:16:21 AM UTC
- Last modified: July 1, 2026 at 11:16:22 AM UTC
- CVSS v3.1: Base score 8.1 – HIGH; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Authentication / privileges / user interaction: Requires authentication; privileges required: LOW; user interaction: NONE
- Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: NONE
- CWE / weakness ID: Not specified in the provided data
Technical Details
The plugin does not perform capability checks on the majority of its MCP tools after token authentication. In other words, once a user is authenticated via the plugin’s token mechanism, the plugin fails to verify that the authenticated user actually has the required WordPress capabilities to access or modify the requested resources.
Because capability checks are missing, authenticated users with low-privileged roles (for example, Subscriber) can:
- Read private content they should not be able to access
- Enumerate all users and their roles
- Create, modify, or delete content owned by other users
The description attributes the issue to missing capability validation after token-based authentication. No specific functions or REST endpoints are named in the provided data.
How This Could Impact Your Website
On a site with multiple users, the lack of capability checks can create realistic risks. For example, an external contractor or contributor granted a low-privileged account could authenticate with the plugin’s token flow and then access private posts authored by staff, enumerate internal user lists and roles, or alter content created by other editors. A site owner or administrator may not immediately notice limited-content edits or unauthorized content creation.
Practical consequences include exposure of internal user email addresses and role information, which increases the risk of targeted phishing or social engineering against staff or contractors. Integrity of published content may also be affected if low-privileged accounts are able to modify or delete posts authored by others.
If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors and other low-privileged accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and audit logs for unusual behavior related to content changes or user enumeration.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.