CVE-2026-40775: WordPress Royal MCP plugin <= 1.4.2 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Broken access control in the Royal MCP WordPress plugin (versions 1.4.2 and earlier) allows an unauthenticated remote attacker to reach endpoints that should be restricted. No authentication is required, and the vulnerability is reachable directly over the network. Successful exploitation enables limited reads, writes, and service disruption against the affected WordPress installation. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships a fix.
HarborGuard Coverage
Detection for CVE-2026-40775 is available across every HarborGuard environment. Vulnerability metadata is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, covering custom-built WordPress images as well as official base images.
AvailableHarborGuard scores this CVE at 7.3 HIGH using the published CVSS v3.1 vector, and triage findings are available weighted against each customer's per-environment compliance policy. Findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published for Royal MCP, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer releases a remediated version. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the target WordPress host.
- AuthenticationNot required
No account or session credential of any kind is needed to trigger the vulnerability.
- Victim interactionNot required
The attacker acts entirely on their own; no user of the target site needs to click a link or take any action.
- Attack complexityDetail
Exploit conditions are straightforward and reliable with no race conditions or special environmental setup required.
Blast Radius
- Reads protected content or configuration data from the WordPress installation that should be access-controlled.
- Writes or modifies data within the application, which may include plugin settings or stored content.
- Disrupts normal operation of the affected WordPress service, degrading availability for legitimate users.
- Because the access control bypass is unauthenticated, any internet-facing instance is exposed without needing prior foothold.
How HarborGuard Handles This
Available on HarborGuard: since no upstream fix exists for CVE-2026-40775 at this time, the platform monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression test run and a PR against affected workloads the moment a fix version is published. In the interim, compensating controls available through standard Kubernetes network policy include restricting ingress to the WordPress service to known IP ranges, adding an authenticated reverse proxy or WAF rule in front of the affected endpoint paths, and, where the Royal MCP plugin functionality is non-essential, disabling it via feature-flag or configuration management until a patch is available. Teams can configure HarborGuard policy rules today to flag any image carrying Royal MCP 1.4.2 or earlier as non-compliant and block it from promotion to production.
- Royal Plugins / Royal MCP≤ 1.4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L