The vulnerability is an unauthenticated broken access control flaw in the MainWP Child plugin for WordPress. It allows an attacker to perform actions that should be restricted to authenticated administrators, enabling critical changes such as site management or configuration without any credentials. This flaw qualifies as a privilege escalation issue (CWE-862). If exploited, an attacker could compromise the confidentiality, integrity, and availability of the protected sites by altering settings or executing other privileged operations.

The issue affects the MainWP Child plugin version 6.1.1 and earlier, used with WordPress installations. Any environment running one of these versions of the plugin is vulnerable.

The CVSS score of 7.5 indicates a high severity vulnerability. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Because the flaw allows unauthenticated access, the likely attack vector is via the web interface over the network, targeting the plugin’s administrative endpoints. Organizations using affected versions should consider the risk of remote compromise until a patch is applied.