Description

WordPress Plugin MainWP Child-Securely connects sites to the MainWP WordPress Manager Dashboard is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently gain full control of target application if the administrative user name is known. WordPress Plugin MainWP Child-Securely connects sites to the MainWP WordPress Manager Dashboard version 3.4.4 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 3.4.5 or latest

References

https://medium.com/websec/authentication-bypass-rce-on-300k-live-websites-using-mainwp-child-3-4-5-30a69097f633

https://plugins.svn.wordpress.org/mainwp-child/trunk/readme.txt

Related Vulnerabilities

SharePoint CVE-2022-21837 Vulnerability (CVE-2022-21837)

WordPress Plugin Analytics Cross-Site Scripting (1.2.3)

Atlassian Jira URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2019-11585)

WordPress Plugin GiveWP-Donation and Fundraising Platform Cross-Site Scripting (2.4.6)

PostgreSQL Improper Certificate Validation Vulnerability (CVE-2012-0867)

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass