Skip to main content

MainWP Child CVE-2026-27366

| EUVDEUVD-2026-39362 HIGH
Missing Authorization (CWE-862)
2026-06-25 Patchstack GHSA-hpf4-4ccj-785m
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable and unauthenticated (AV:N/PR:N) but gated by required victim interaction (UI:R) and non-trivial preconditions (AC:H); missing authorization can yield full data and integrity impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:16 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.

AnalysisAI

Broken access control in the MainWP Child WordPress plugin (versions 6.1.1 and earlier) allows remote attackers to invoke privileged actions without proper authorization checks (CWE-862). Because the flaw is reachable without authentication (PR:N) it can be triggered by external attackers, though exploitation depends on tricking a user into an action (UI:R) and on overcoming non-trivial conditions (AC:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate WordPress site running MainWP Child ≤6.1.1
Delivery
Craft request to unauthorized plugin handler
Exploit
Induce victim interaction to trigger action
Execution
Bypass missing authorization check
Impact
Execute privileged operation on site

Vulnerability AssessmentAI

Exploitation Exploitation targets the MainWP Child plugin's privileged request handlers that lack a proper capability/authorization check. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate, not emergency, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running MainWP Child <= 6.1.1 and crafts a request to a privileged plugin handler that fails to enforce authorization, then lures a logged-in user or administrator into triggering the action (satisfying the UI:R requirement) to perform an operation the attacker could not otherwise authorize. Given AC:H, the attacker must satisfy additional conditions (such as timing, a valid request structure, or a specific site state) for the bypass to succeed. …
Remediation No vendor-released patch version was identified in the supplied data; the '<= 6.1.1' affected range implies a fixed release (likely 6.1.2 or later) exists, but it is not confirmed here, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mainwp-child/vulnerability/wordpress-mainwp-child-plugin-6-1-1-broken-access-control-vulnerability) and the official MainWP changelog to obtain and install the next available release above 6.1.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress installations running MainWP Child plugin versions 6.1.1 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-27366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy