CVE-2026-10750
The CVE concerns the Royal MCP WordPress plugin (before 1.4.26). The issue is a missing capability check after token authentication in most MCP tools, allowing a low-privilege user (e.g., Subscriber) to read private content, enumerate users and roles, and create/modify/delete content owned by oth...