📄 Description (English)
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.
🤖 AI Executive Summary
CVE-2026-6518 affects the CMP – Coming Soon & Maintenance Plugin for WordPress (versions ≤4.1.16), allowing authenticated administrators to upload and execute arbitrary code via the `cmp_theme_update_install` AJAX action. The vulnerability stems from insufficient capability checks and lack of file validation, enabling remote code execution on affected WordPress installations. This poses a critical risk to Saudi organizations using WordPress for web presence, particularly government agencies, financial institutions, and e-commerce platforms.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 08:30
🇸🇦 Saudi Arabia Impact Assessment
High impact on Saudi organizations: (1) Government sector (NCA, CITC, ARAMCO) — WordPress sites for public services and communications vulnerable to compromise; (2) Banking/Financial (SAMA-regulated institutions, fintech) — potential data breach and service disruption; (3) Healthcare (MOH, private hospitals) — patient data exposure and system integrity; (4) E-commerce and retail — customer data theft and payment system compromise; (5) Telecommunications (STC, Mobily) — service disruption and customer information exposure. Risk amplified by prevalence of WordPress in Saudi SMEs and government digital transformation initiatives.
🏢 Affected Saudi Sectors
Government (NCA, CITC, ARAMCO, MOI)
Banking & Financial Services (SAMA-regulated)
Healthcare (MOH, private hospitals)
E-commerce & Retail
Telecommunications (STC, Mobily, Zain)
Education (Universities, schools)
Energy (ARAMCO, SEC)
Real Estate & Construction
🎯 MITRE ATT&CK Techniques
T1190 — Exploit Public-Facing Application
T1199 — Trusted Relationship
T1566 — Phishing (if admin credentials compromised)
T1105 — Ingress Tool Transfer
T1570 — Lateral Tool Transfer
T1059 — Command and Scripting Interpreter
T1053 — Scheduled Task/Job
T1098 — Account Manipulation
T1110 — Brute Force (credential attacks)
T1133 — External Remote Services
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using CMP plugin ≤4.1.16 across your organization
2. Disable the CMP plugin immediately: wp-cli plugin deactivate cmp-coming-soon-maintenance
3. Review WordPress admin user accounts and audit recent login activity for unauthorized access
4. Check wp-content/plugins/cmp-premium-themes/ directory for suspicious files (PHP shells, unexpected archives)
5. Review web server access logs (Apache/Nginx) for POST requests to /wp-admin/admin-ajax.php?action=cmp_theme_update_install
PATCHING GUIDANCE:
6. Monitor NiteoThemes repository for security patch release; upgrade immediately when available
7. If patch unavailable, consider removing CMP plugin entirely and using alternative coming-soon solutions (e.g., SeedProd, Elementor Coming Soon)
COMPENSATING CONTROLS (if plugin must remain):
8. Restrict WordPress admin access to specific IP ranges (SAMA/NCA networks)
9. Implement Web Application Firewall (WAF) rules to block cmp_theme_update_install AJAX calls
10. Enable WordPress security plugins (Wordfence, Sucuri) with file integrity monitoring
11. Implement strict file upload restrictions via wp-config.php: define('DISALLOW_FILE_EDIT', true);
12. Use WordPress security headers: X-Content-Type-Options: nosniff, Content-Security-Policy
DETECTION RULES:
13. Monitor for POST requests: /wp-admin/admin-ajax.php?action=cmp_theme_update_install with suspicious URL parameters
14. Alert on any file extraction/unzip operations in wp-content/plugins/cmp-premium-themes/
15. Monitor for new PHP files created in plugin directories with timestamps matching suspicious activity
16. Log all WordPress admin user actions via audit logging plugin
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم إضافة CMP ≤4.1.16 عبر مؤسستك
2. تعطيل إضافة CMP فوراً: wp-cli plugin deactivate cmp-coming-soon-maintenance
3. مراجعة حسابات مسؤول WordPress وتدقيق نشاط تسجيل الدخول الأخير للوصول غير المصرح
4. التحقق من دليل wp-content/plugins/cmp-premium-themes/ للملفات المريبة (أصداف PHP، أرشيفات غير متوقعة)
5. مراجعة سجلات الوصول لخادم الويب (Apache/Nginx) لطلبات POST إلى /wp-admin/admin-ajax.php?action=cmp_theme_update_install
إرشادات التصحيح:
6. مراقبة مستودع NiteoThemes لإصدار تصحيح أمني؛ قم بالترقية فوراً عند توفره
7. إذا لم يكن التصحيح متاحاً، فكر في إزالة إضافة CMP بالكامل واستخدام حلول بديلة (مثل SeedProd، Elementor Coming Soon)
الضوابط التعويضية (إذا كان يجب أن تبقى الإضافة):
8. تقييد وصول مسؤول WordPress إلى نطاقات IP محددة (شبكات SAMA/NCA)
9. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر استدعاءات AJAX cmp_theme_update_install
10. تفعيل إضافات أمان WordPress (Wordfence، Sucuri) مع مراقبة سلامة الملفات
11. تنفيذ قيود صارمة على رفع الملفات عبر wp-config.php: define('DISALLOW_FILE_EDIT', true);
12. استخدام رؤوس أمان WordPress: X-Content-Type-Options: nosniff، Content-Security-Policy
قواعد الكشف:
13. مراقبة طلبات POST: /wp-admin/admin-ajax.php?action=cmp_theme_update_install مع معاملات URL مريبة
14. تنبيه على أي عمليات استخراج/فك ضغط في wp-content/plugins/cmp-premium-themes/
15. مراقبة ملفات PHP الجديدة المنشأة في دلائل الإضافات مع طوابع زمنية تطابق النشاط المريب
16. تسجيل جميع إجراءات مستخدم مسؤول WordPress عبر إضافة تدقيق السجل
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.1.1 — Information security policies and procedures for access control
ECC 2024 A.12.4.1 — Restriction of access to information and information processing facilities
ECC 2024 A.14.2.1 — Secure development policy and procedures
ECC 2024 A.14.2.5 — Secure development environment
ECC 2024 A.12.6.1 — Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF Governance & Risk Management — Vulnerability management and patch management
SAMA CSF Protective Security — Access control and authentication
SAMA CSF Protective Security — Application security and secure coding
SAMA CSF Detection & Response — Security monitoring and incident detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 — Access control
ISO 27001:2022 A.8.1 — Organizational controls for information security
ISO 27001:2022 A.8.2 — Personnel security
ISO 27001:2022 A.8.3 — Asset management
ISO 27001:2022 A.8.6 — Cryptography
ISO 27001:2022 A.8.22 — Information security for supplier relationships
ISO 27001:2022 A.8.32 — Change management
🟣 PCI DSS v4.0.1
PCI DSS 6.2 — Ensure all system components and software are protected from known vulnerabilities
PCI DSS 7.1 — Restrict access to system components by business need to know
PCI DSS 8.1 — Assign unique ID to each person with computer access
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/nite...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/nite...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.16/nite...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?old_path=%2Fcmp-coming-soon-maintenance/ta...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/d6fb275b-dbba-46df-b170-977ef...
security@wordfence.com