Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Network-reachable endpoint with subscriber-level auth (PR:L) sufficient; low C/I/A reflects partial access/modification, not full administrative compromise.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in MainWP <= 6.1.1 versions.
AnalysisAI
Broken access control in MainWP WordPress plugin versions 6.1.1 and below allows authenticated subscribers to bypass authorization checks and perform actions restricted to higher-privileged roles. The CVSS vector (PR:L, AC:L, AV:N) confirms any low-privileged WordPress account - the subscriber role being the lowest default - is sufficient for network-based exploitation with no special complexity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account at subscriber role or above on the target site running MainWP 6.1.1 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS score of 6.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L reflects a network-exploitable flaw requiring only subscriber-level authentication and no user interaction, but with limited per-impact outcomes (C:L/I:L/A:L) and no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running MainWP 6.1.1 or earlier - trivially achievable on any site with open user registration - then submits a crafted HTTP POST request to an unprotected plugin endpoint intended for administrative use. The missing capability check allows the request to succeed, enabling the attacker to read sensitive site management data, modify plugin settings, or cause limited disruption. … |
| Remediation | Update the MainWP plugin to any version released after 6.1.1; the exact patched release should be verified via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/mainwp/vulnerability/wordpress-mainwp-plugin-6-1-1-broken-access-control-vulnerability, as a specific fix version is not confirmed in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40098
GHSA-jqjh-8jhc-v62j