Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.
AnalysisAI
Authenticated attackers with Subscriber-level access can extract MainWP Child Reports activity logs including action summaries, user information, IP addresses, and contextual data from WordPress sites running the MainWP Child Reports plugin up to version 2.2.6 by exploiting a missing authorization check in the WordPress Heartbeat API handler. The vulnerability (CVSS 5.3) affects information disclosure only and requires network access but no user interaction; no public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The MainWP Child Reports plugin registers a callback handler for the WordPress Heartbeat API, a real-time messaging system built into WordPress core that uses AJAX requests to maintain communication between the client browser and server. The vulnerable heartbeat_received() function in the Live_Update class (lines 44 and 182 of class-live-update.php) processes incoming heartbeat requests containing the 'wp-mainwp-stream-heartbeat' data key but fails to validate that the requesting user possesses the necessary WordPress capability (typically manage_options or a custom MainWP capability) before returning sensitive activity log entries. The root cause is CWE-862 (Missing Authorization), a class of vulnerability where access control is not enforced for a critical function. Because the Heartbeat API is available to any authenticated user (including Subscribers), and the plugin does not perform capability verification before serving log data, low-privileged accounts can retrieve information intended for administrators only.
RemediationAI
Update the MainWP Child Reports plugin to a patched version beyond 2.2.6 as soon as available from the WordPress plugin repository or the MainWP vendor. The fix requires adding a WordPress capability check (typically current_user_can( 'manage_options' ) or a MainWP-specific capability) within the heartbeat_received() function before returning activity log data. If a patched version is not yet available, a temporary workaround is to disable the WordPress Heartbeat API globally or restrict it to administrators only via code or a security plugin, though this may impact live update features. Review the official Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b423-be03377a342d?source=cve) for detailed remediation guidance and patch availability confirmation. Users should prioritize this update for any MainWP Child Reports installation accessible to low-privileged user accounts.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20044
GHSA-xg9f-423r-vcp9