Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Network-reachable and unauthenticated (AV:N/PR:N) but gated by required victim interaction (UI:R) and non-trivial preconditions (AC:H); missing authorization can yield full data and integrity impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.
AnalysisAI
Broken access control in the MainWP Child WordPress plugin (versions 6.1.1 and earlier) allows remote attackers to invoke privileged actions without proper authorization checks (CWE-862). Because the flaw is reachable without authentication (PR:N) it can be triggered by external attackers, though exploitation depends on tricking a user into an action (UI:R) and on overcoming non-trivial conditions (AC:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets the MainWP Child plugin's privileged request handlers that lack a proper capability/authorization check. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward moderate, not emergency, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running MainWP Child <= 6.1.1 and crafts a request to a privileged plugin handler that fails to enforce authorization, then lures a logged-in user or administrator into triggering the action (satisfying the UI:R requirement) to perform an operation the attacker could not otherwise authorize. Given AC:H, the attacker must satisfy additional conditions (such as timing, a valid request structure, or a specific site state) for the bypass to succeed. … |
| Remediation | No vendor-released patch version was identified in the supplied data; the '<= 6.1.1' affected range implies a fixed release (likely 6.1.2 or later) exists, but it is not confirmed here, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mainwp-child/vulnerability/wordpress-mainwp-child-plugin-6-1-1-broken-access-control-vulnerability) and the official MainWP changelog to obtain and install the next available release above 6.1.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress installations running MainWP Child plugin versions 6.1.1 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mainwp Child
View allThe MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a
The MainWP Child Reports plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and inc
The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including,
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39362
GHSA-hpf4-4ccj-785m