cmp-plugin-rce-cmp-theme-update-install

CMP plugin RCE via cmp_theme_update_install lets attackers drop code into wp-content/plugins/cmp-premium-themes — urgent WordPress cyber risk

What happened

The sticky bit here is a WordPress AJAX action named cmp_theme_update_install that can be abused to force the site to download and extract a ZIP into wp-content/plugins/cmp-premium-themes/.

The vulnerability affects the CMP – Coming Soon & Maintenance Plugin by NiteoThemes in all versions up to and including 4.1.16, and allows arbitrary file upload and remote code execution when an authenticated attacker with Administrator-level access invokes that AJAX action. The root causes listed in the advisory are an incorrect capability check — the code only checks for publish_pages (Editors and above) instead of manage_options (Administrators only) — plus no validation of the supplied file URL and no verification of the downloaded file’s content before extraction.

The advisory notes Editors are unable to exploit the flaw because a nonce is missing for Editor requests. The advisory does not disclose who discovered the issue, nor does it state whether a patched version has been released, so vendor status has not been confirmed.

Why this matters to businesses

If you run WordPress sites that use third‑party plugins, this is textbook supply-chain risk, except nastier because the attacker can plant executable PHP under a web‑accessible plugin folder. Customers, partners and suppliers that trust your site can be exposed to data theft, credential harvesting, or malware delivery.

Operational impact is straightforward: web shells lead to lateral moves, backups may be compromised, and incident response eats engineering time. Regulators look poorly on unmanaged third‑party code, and insurers will want proof you had basic controls in place, not excuses about “plugin convenience”.

And while we’re at it, yes we’ve seen this before — leaving high‑privilege capabilities on too many accounts and treating plugin installs like a supermarket impulse buy is a bad habit that bites.

If you’ve got the same weakness, here’s what happens next

First, an Administrator or compromised admin account invokes the AJAX action with a URL to an attacker ZIP. The server downloads and extracts files into wp-content/plugins/cmp-premium-themes/, creating web‑runnable PHP or scripts.

Second, quiet persistence is the likely aim: a web shell, scheduled tasks, or backdoor plugin code that survives restarts and can be used to pivot. Third, detection tends to lag because the files look like plugin assets until someone inspects them, and by then backups may contain the implant too.

Finally, recovery costs can spiral — restore testing, full forensic imaging, credential rotations, legal notices and possible regulatory reporting. Not fun, and not cheap.

What to do on Monday morning

1. Inventory all WordPress sites and identify installations of “CMP – Coming Soon & Maintenance” and the plugin version; flag any at or below 4.1.16 as high priority.

2. If the plugin is present and you cannot immediately confirm a vendor patch, disable or remove the plugin, and replace with a known safe alternative until you have vendor guidance.

3. Rotate credentials for all Administrator accounts and revoke unused admin access, enforce least privilege so fewer accounts can reach manage_options.

4. Scan web roots for unexpected files under wp-content/plugins/cmp-premium-themes/ and other plugin folders; treat any unknown PHP or executable file as compromise and isolate the host.

5. Restore from known-good backups if implants are found, but first snapshot the compromised system for forensics and check backup integrity before restoring to production.

6. Harden plugin management: restrict who can install or update plugins, require multi-person change approval for plugin installs, and log plugin-related AJAX calls for future detection.

7. Improve monitoring: add file integrity checks, alert on new files in plugin directories, and ensure web server logs are retained for incident analysis.

Where ISO standards fit, without the sales pitch

An ISO 27001 aligned information security management system helps here by forcing you to know what software is running where and who is entitled to change it, which directly reduces the chance an attacker can abuse mistaken capability checks — see ISO 27001 for the kind of controls that help.

When recovery and continuity matter, an ISO 22301 approach ensures you can restore customer‑facing services and run a clear incident playbook without flailing; that sort of preparedness shortens outage windows and shrinks regulatory exposure, see ISO 22301 guidance.

For baseline certification and foundational controls that make this sort of plugin risk less likely to turn into a full compromise, consider mapped frameworks like IASME which tie patching, access control and supplier checks into tangible requirements, see IASME.

Practically, these standards mean you don’t rely on memory or habits to manage admin accounts and plugin updates — you have documented checks, change control and evidence for auditors and insurers.

Take a breath, then act. If the CMP plugin is in your estate treat it like hot coal until you know it’s safe; inventory, isolate, and restore from a verified backup if you find unknown code.