What happened
CVE-2026-40775 (CVSS 7.3 HIGH) published 2026-06-15. The Royal MCP WordPress plugin in versions ≤ 1.4.2 contains an unauthenticated broken access control vulnerability, allowing remote attackers to interact with MCP server functionality without authenticating.
Why it matters
MCP plugins for WordPress expose tool and resource endpoints to AI agents. Unauthenticated access control bypass on such a plugin could allow attackers to invoke MCP tools, read MCP-served resources, or manipulate data exposed to AI agents — directly affecting the security boundary between the web server and any AI agent connecting via MCP.
Attack vector
Unauthenticated attacker exploits broken access control in the Royal MCP WordPress plugin to access or manipulate MCP-exposed resources without authentication.
Affected systems
Royal MCP WordPress plugin ≤ 1.4.2
Mitigation
Update Royal MCP plugin to version > 1.4.2. Patchstack advisory: https://patchstack.com/database/wordpress/plugin/royal-mcp/vulnerability/wordpress-royal-mcp-plugin-1-4-2-broken-access-control-vulnerability