Mainwp Child Reports
Approved changes feed: RSS · Atom
cpe:2.3:a:mainwp:mainwp_child_reports:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Mainwp (5e348f7c-45b2-5ec4-9942-e0176950c16b) |
|---|---|
| Product | Mainwp Child Reports (ae26e4c0-1d91-5bfb-9832-4493483f9b9a) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/wp-plugins/mainwp-child-reports |
purl2cpe | 2026-06-01 10:12:46.419039 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-4299 |
vulnerable | 2026-06-03 15:26:25.153744 |
MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API
MEDIUM (5.3)
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.
Published: 2026-04-08T03:36:09.655Z
Updated: 2026-04-13T15:15:10.520Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7492 |
vulnerable | 2026-06-03 14:58:06.014944 |
MainWP Child Reports <= 2.2 - Cross-Site Request Forgery to Arbitrary Options Update
HIGH (8.8)
The MainWP Child Reports plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances.
Published: 2024-08-08T02:32:08.923Z
Updated: 2026-04-08T17:24:15.554Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-33680 |
vulnerable | 2026-06-03 14:55:52.840366 |
WordPress MainWP Child Reports plugin <= 2.1.1 - Cross Site Request Forgery (CSRF) vulnerability
MEDIUM (5.4)
Cross-Site Request Forgery (CSRF) vulnerability in MainWP MainWP Child Reports.This issue affects MainWP Child Reports: from n/a through 2.1.1.
Published: 2024-04-26T10:37:01.657Z
Updated: 2026-04-28T16:09:45.147Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.