Skip to main content

WordPress EUVDEUVD-2026-20044

| CVE-2026-4299 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Wordfence GHSA-xg9f-423r-vcp9
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 04:30 euvd
EUVD-2026-20044
Analysis Generated
Apr 08, 2026 - 04:30 vuln.today
CVE Published
Apr 08, 2026 - 03:36 nvd
MEDIUM 5.3

DescriptionCVE.org

The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.

AnalysisAI

Authenticated attackers with Subscriber-level access can extract MainWP Child Reports activity logs including action summaries, user information, IP addresses, and contextual data from WordPress sites running the MainWP Child Reports plugin up to version 2.2.6 by exploiting a missing authorization check in the WordPress Heartbeat API handler. The vulnerability (CVSS 5.3) affects information disclosure only and requires network access but no user interaction; no public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The MainWP Child Reports plugin registers a callback handler for the WordPress Heartbeat API, a real-time messaging system built into WordPress core that uses AJAX requests to maintain communication between the client browser and server. The vulnerable heartbeat_received() function in the Live_Update class (lines 44 and 182 of class-live-update.php) processes incoming heartbeat requests containing the 'wp-mainwp-stream-heartbeat' data key but fails to validate that the requesting user possesses the necessary WordPress capability (typically manage_options or a custom MainWP capability) before returning sensitive activity log entries. The root cause is CWE-862 (Missing Authorization), a class of vulnerability where access control is not enforced for a critical function. Because the Heartbeat API is available to any authenticated user (including Subscribers), and the plugin does not perform capability verification before serving log data, low-privileged accounts can retrieve information intended for administrators only.

RemediationAI

Update the MainWP Child Reports plugin to a patched version beyond 2.2.6 as soon as available from the WordPress plugin repository or the MainWP vendor. The fix requires adding a WordPress capability check (typically current_user_can( 'manage_options' ) or a MainWP-specific capability) within the heartbeat_received() function before returning activity log data. If a patched version is not yet available, a temporary workaround is to disable the WordPress Heartbeat API globally or restrict it to administrators only via code or a security plugin, though this may impact live update features. Review the official Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b423-be03377a342d?source=cve) for detailed remediation guidance and patch availability confirmation. Users should prioritize this update for any MainWP Child Reports installation accessible to low-privileged user accounts.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-20044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy