CVE-2026-10750
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
The Royal MCP WordPress plugin before version 1.4.26 does not perform capability checks on most of its MCP tools after token authentication, allowing authenticated users with low-privileged roles such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.
Risk Assessment
The organization is at risk of confidential data leakage, unauthorized access to content, and content manipulation by unauthorized users, potentially compromising system integrity and confidentiality.
Recommendation
Immediately update the Royal MCP plugin to version 1.4.26 or later, and review and restrict user permissions, especially for users with the Subscriber role.
Original NVD description (English source)
The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

