CVE-2026-4299 - Vulnerability Details

- MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API

Description

The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.

Published: 2026-04-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The MainWP Child Reports plugin fails to verify user capabilities when handling heartbeat requests, allowing any authenticated user with Subscriber-level access or higher to fetch activity log entries over the WordPress Heartbeat API. These logs expose action summaries, user identities, IP addresses, and contextual information that could aid further attacks or compromise site integrity.

Affected Systems

All WordPress sites running MainWP Child Reports up to and including version 2.2.6 are impacted. The vulnerability originates in the Live_Update class’s heartbeat_received() function within the plugin.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity: exploitation requires valid credentials but no privileged access. Although the exploit is not included in public known exploit catalogs, the ability to read sensitive logs represents a significant risk for reconnaissance and credential compromise. Administrators should prioritize remediation and monitor for anomalous log access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mainwp

MainWP Child Reports

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.2.6

No data.

Vendor Product Confidence Versions

Mainwp

Mainwp Child Reports

100%

Version	Status	Scheme	Platform
`[0,2.2.6]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the MainWP Child Reports plugin to the latest version, which implements the missing capability check in heartbeat_received().
If an immediate update is not possible, limit the wp-mainwp-stream-heartbeat action by disabling it in the plugin settings or blocking the endpoint via web server configuration.
After applying the fix, test that Subscriber-level accounts cannot retrieve activity logs through a crafted heartbeat request.
Continuously monitor the activity logs for unauthorized access attempts and review user permissions regularly.

Generated by OpenCVE AI on April 8, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L182
https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L44
https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L182
https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L44
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490157%40mainwp-child-reports&new=3490157%40mainwp-child-reports&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b423-be03377a342d?source=cve

History

Mon, 13 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mainwp Mainwp mainwp Child Reports Wordpress Wordpress wordpress
Vendors & Products		Mainwp Mainwp mainwp Child Reports Wordpress Wordpress wordpress

Wed, 08 Apr 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.
Title		MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L182 https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L44 https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L182 https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L44 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490157%40mainwp-child-reports&new=3490157%40mainwp-child-reports&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b423-be03377a342d?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Mainwp Mainwp Child Reports

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-08T03:36:09.655Z

Updated: 2026-04-13T15:15:10.520Z

Reserved: 2026-03-16T19:23:21.908Z

Link: CVE-2026-4299

Vulnrichment

Updated: 2026-04-13T15:12:10.779Z

NVD

Status : Deferred

Published: 2026-04-08T05:16:06.520

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-4299

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:44:00Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object