Unauthenticated Attackers Can Escalate Privileges in MainWP Child Plugin
CVE-2024-10783

8.1HIGH

Key Information:

Vendor: Wordpress
Status: MainWP Child – Securely Connects To The MainWP Dashboard To Manage Multiple Sites
Vendor: CVE Published:; 13 December 2024

Summary

A privilege escalation vulnerability exists in the MainWP Child plugin for WordPress, affecting all versions up to and including 5.2. This vulnerability stems from missing authorization checks in the register_site function, particularly when a site remains in an unconfigured state. Unauthenticated attackers can potentially exploit this flaw to log in as an administrator on sites where the MainWP Child plugin is installed but not connected to the MainWP Dashboard. Notably, sites employing the unique security ID feature or already connected to the dashboard are not impacted. Version 5.2.1 provides a partial fix, while version 5.3 offers a complete resolution to the vulnerability.

Affected Version(s)

MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites * <= 5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mainwp-child/t...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 13, 2024
Vulnerability Reserved
Nov 4, 2024

Credit

Sean Murphy