CVE-2026-6518 Overview
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes for WordPress contains a critical arbitrary file upload vulnerability that allows authenticated attackers to achieve remote code execution. The vulnerability exists in all versions up to and including 4.1.16 through the cmp_theme_update_install AJAX action. Due to insufficient capability checks and missing file validation, attackers with Editor-level access or above can force the server to download and extract malicious ZIP files from attacker-controlled URLs, leading to complete server compromise.
Critical Impact
Authenticated attackers can upload malicious files and execute arbitrary code on vulnerable WordPress installations, potentially leading to complete site takeover and server compromise.
Affected Products
- CMP – Coming Soon & Maintenance Plugin by NiteoThemes versions up to and including 4.1.16
- WordPress installations using the vulnerable plugin versions
- Sites with users having Editor-level access or above
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-6518 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-6518
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw stems from a combination of security weaknesses in the plugin's theme update functionality. The cmp_theme_update_install AJAX action improperly validates user permissions by checking only for the publish_pages capability, which is available to Editors and above, rather than restricting access to Administrators with the manage_options capability.
The vulnerable function accepts a user-supplied URL without proper validation or sanitization. The server then downloads content from this attacker-controlled URL and extracts it without verifying the file contents. This allows malicious ZIP archives containing PHP backdoors or web shells to be extracted directly into the web-accessible wp-content/plugins/cmp-premium-themes/ directory.
Root Cause
The root cause of this vulnerability is multi-faceted:
Insufficient Capability Check: The AJAX action checks for publish_pages capability instead of the more restrictive manage_options capability, broadening the attack surface to include Editor-level users.
Missing URL Validation: The function accepts arbitrary URLs without validating that they point to legitimate theme update sources.
No Content Verification: Downloaded ZIP files are extracted without any verification of their contents, allowing arbitrary file types including executable PHP files to be placed on the server.
Insecure Extraction Location: Files are extracted to a web-accessible directory, making any uploaded malicious code immediately executable.
Attack Vector
The attack is network-based and requires low-privilege authentication (Editor-level access). An attacker can exploit this vulnerability by triggering the vulnerable AJAX action with a malicious URL pointing to a crafted ZIP file containing PHP web shells or backdoors.
The exploitation flow involves sending a crafted AJAX request to the cmp_theme_update_install action with a URL parameter pointing to an attacker-controlled server hosting a malicious ZIP archive. The vulnerable server downloads this archive and extracts it to the wp-content/plugins/cmp-premium-themes/ directory, where the attacker can then access the uploaded malicious PHP files directly via HTTP.
For technical implementation details, refer to the vulnerable code in niteo-cmp.php and the Wordfence vulnerability report.
Detection Methods for CVE-2026-6518
Indicators of Compromise
- Unexpected files appearing in the wp-content/plugins/cmp-premium-themes/ directory
- Suspicious PHP files with obfuscated code or shell functionality in plugin directories
- AJAX requests to admin-ajax.php with action parameter cmp_theme_update_install from non-Administrator users
- Outbound HTTP/HTTPS requests from the web server to unknown external hosts
- Web server access logs showing requests to newly created files in the plugin directory
Detection Strategies
- Monitor WordPress AJAX logs for suspicious cmp_theme_update_install action calls
- Implement file integrity monitoring on the wp-content/plugins/ directory to detect unauthorized file additions
- Review web server access logs for requests to the cmp-premium-themes directory that don't match expected theme files
- Deploy web application firewall (WAF) rules to detect and block suspicious AJAX requests with external URLs
- Use endpoint detection solutions to identify malicious PHP file creation and execution
Monitoring Recommendations
- Enable verbose logging for WordPress AJAX actions and review regularly
- Configure alerts for new file creation within WordPress plugin directories
- Monitor outbound network connections from the web server for unusual external communication
- Implement real-time file change detection for critical WordPress directories
- Review user activity logs for Editor-level accounts making unusual administrative requests
How to Mitigate CVE-2026-6518
Immediate Actions Required
- Update CMP – Coming Soon & Maintenance Plugin to version 4.1.17 or later immediately
- Audit the wp-content/plugins/cmp-premium-themes/ directory for any unauthorized or suspicious files
- Review user accounts with Editor-level access and above for any suspicious activity
- Temporarily disable the plugin if immediate update is not possible
- Scan the WordPress installation with security plugins to identify potential backdoors
Patch Information
NiteoThemes has released version 4.1.17 of the CMP – Coming Soon & Maintenance Plugin which addresses this vulnerability. The patch implements proper capability checks requiring manage_options (Administrator-level) permission, adds validation for download URLs, and includes content verification before file extraction.
The security fix can be reviewed in the WordPress Plugin ChangeSet comparing versions 4.1.16 and 4.1.17.
Workarounds
- Disable the CMP – Coming Soon & Maintenance Plugin until the patch can be applied
- Remove Editor-level access from untrusted users temporarily
- Implement server-level restrictions blocking external URL downloads from PHP
- Add web application firewall rules to block the vulnerable AJAX action
- Use file permission hardening to make the cmp-premium-themes directory read-only
# Temporary workaround: Make the vulnerable directory read-only
chmod 555 /path/to/wordpress/wp-content/plugins/cmp-premium-themes/
# Block the vulnerable AJAX action via .htaccess
# Add to WordPress root .htaccess file:
# RewriteCond %{REQUEST_URI} admin-ajax\.php
# RewriteCond %{QUERY_STRING} action=cmp_theme_update_install [NC]
# RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
