CVE-2026-6518 is a high-severity vulnerability in the CMP – Coming Soon & Maintenance Plugin by NiteoThemes for WordPress. The vulnerability stems from improper capability checks and insufficient validation of user-supplied file URLs in the cmp_theme_update_install AJAX action. Specifically, the function checks for the publish_pages capability instead of the more restrictive manage_options capability, allowing users with Administrator privileges to trigger the download and extraction of attacker-controlled ZIP files into a web-accessible plugin directory. This leads to remote code execution on the affected server. Editors cannot exploit this due to missing nonce protection. The vulnerability affects all plugin versions up to 4.1.16. No patch or official fix has been published as of the provided data.

Successful exploitation allows an authenticated user with Administrator privileges to upload and execute arbitrary code on the affected WordPress server by forcing it to download and extract malicious files into a web-accessible directory. This can lead to full compromise of the web server, including confidentiality, integrity, and availability impacts. Editors cannot exploit this vulnerability due to nonce protections. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Administrator access to trusted users only and monitor for suspicious activity related to the cmp_theme_update_install AJAX action. Avoid using the vulnerable plugin versions if possible.