Volerion logoVolerion
Volerion logoVolerion

CMP Coming Soon and Maintenance WordPress Plugin Arbitrary File Upload and Remote Code Execution Vulnerability

Vulnerability

A vulnerability allowing arbitrary file upload and remote code execution has been identified in the CMP – Coming Soon & Maintenance Plugin by NiteoThemes for WordPress, affecting all versions through 4.1.16. The issue arises in the 'cmp_theme_update_install' AJAX action, where the plugin improperly authorizes users with the 'publish_pages' capability, instead of restricting access to 'manage_options' for Administrators. This flaw, coupled with inadequate validation of user-supplied file URLs and a lack of content verification for downloaded files before extraction, enables authenticated attackers with Administrator-level access to upload malicious ZIP files from remote URLs. These files are extracted into a web-accessible directory, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, which can be used to execute malicious code on the server.

Remediation

Users are advised to update the CMP – Coming Soon & Maintenance Plugin by NiteoThemes to version 4.1.17 or a newer patched version.

Added: Apr 18, 2026, 5:19 AM
Updated: Apr 18, 2026, 5:19 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
7.5
exploitability
5.6
remediation
7.7
relevance
6.3
threat
3.2
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.