2 matches found
CVE-2026-10750 Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools
The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify,...
CVE-2026-40775
WordPress plugin Royal MCP (for the WordPress ecosystem) is affected up to version 1.4.2. The CVE describes an Unauthenticated Broken Access Control vulnerability, i.e., an attacker without credentials can access restricted functionality. The CVSS metrics (CVSS:3.1, AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:...