Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
MainWP Child Reports plugin leaks sensitive data to malicious users
CVE-2026-4299
Summary
An attacker with Subscriber-level access or higher can obtain sensitive information about your WordPress site's activity logs by sending a specific request. This includes user information, IP addresses, and other details. Update to the latest version of the MainWP Child Reports plugin to fix this issue.
Original title
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received()...
Original description
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/class...
- https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/class...
- https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/cl...
- https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/cl...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b42...
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026