Description
Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated broken access control flaw in the MainWP Child plugin for WordPress. It allows an attacker to perform actions that should be restricted to authenticated administrators, enabling critical changes such as site management or configuration without any credentials. This flaw qualifies as a privilege escalation issue (CWE-862). If exploited, an attacker could compromise the confidentiality, integrity, and availability of the protected sites by altering settings or executing other privileged operations.

Affected Systems

The issue affects the MainWP Child plugin version 6.1.1 and earlier, used with WordPress installations. Any environment running one of these versions of the plugin is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Because the flaw allows unauthenticated access, the likely attack vector is via the web interface over the network, targeting the plugin’s administrative endpoints. Organizations using affected versions should consider the risk of remote compromise until a patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 16:07 UTC.

Remediation

Vendor Solution

Update the WordPress MainWP Child Plugin to the latest available version (at least 6.1.2).


OpenCVE Recommended Actions

  • Update the MainWP Child plugin to version 6.1.2 or later to eliminate the access control flaw.
  • Configure firewall or security plugin rules to block or rate‑limit unauthenticated access to the plugin’s administrative URLs such as /wp-admin/admin-ajax.php.
  • If the plugin is not essential, disable or uninstall it to remove the attack surface until a patch is delivered.

Generated by OpenCVE AI on June 25, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mainwp
Mainwp mainwp Child
Wordpress
Wordpress wordpress
Vendors & Products Mainwp
Mainwp mainwp Child
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.
Title WordPress MainWP Child plugin <= 6.1.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Mainwp Mainwp Child
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T17:59:01.166Z

Reserved: 2026-02-19T09:51:54.219Z

Link: CVE-2026-27366

cve-icon Vulnrichment

Updated: 2026-06-29T17:58:55.374Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:45:04Z

Weaknesses