Mainwp
Monthly
Broken access control in MainWP WordPress plugin versions 6.1.1 and below allows authenticated subscribers to bypass authorization checks and perform actions restricted to higher-privileged roles. The CVSS vector (PR:L, AC:L, AV:N) confirms any low-privileged WordPress account - the subscriber role being the lowest default - is sufficient for network-based exploitation with no special complexity. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the minimal barrier to obtaining a subscriber account on sites with open registration makes this a meaningful risk for multi-user or membership-based installations.
The MainWP Dashboard - WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including,. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable.
Broken access control in MainWP WordPress plugin versions 6.1.1 and below allows authenticated subscribers to bypass authorization checks and perform actions restricted to higher-privileged roles. The CVSS vector (PR:L, AC:L, AV:N) confirms any low-privileged WordPress account - the subscriber role being the lowest default - is sufficient for network-based exploitation with no special complexity. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the minimal barrier to obtaining a subscriber account on sites with open registration makes this a meaningful risk for multi-user or membership-based installations.
The MainWP Dashboard - WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including,. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable.