Security Alert Summary
The MainWP Child Reports plugin for WordPress contains a Missing Authorization vulnerability that affects versions up to and including 2.2.6. A missing capability check in the heartbeat_received() function of the Live_Update class allows certain authenticated requests using the WordPress Heartbeat API to retrieve MainWP Child Reports activity log entries.
CVE Details
- CVE ID: CVE-2026-4299
- Affected component: MainWP Child Reports plugin for WordPress (Live_Update class)
- Affected versions: All versions up to and including 2.2.6
- Published: April 8, 2026 at 5:16:06 AM UTC
- Last modified: April 8, 2026 at 5:16:06 AM UTC
- CVSS v3.1: Base Score 5.3; Severity MEDIUM; Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - Authentication / privileges / user interaction (from CVSS): Privileges Required: NONE; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW; Scope: UNCHANGED
- Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
- CWE / weakness: CWE-862 (Missing Authorization)
Technical Details
The vulnerability is a missing authorization check in the heartbeat_received() function within the Live_Update class. Specifically, the plugin does not verify capabilities before processing certain Heartbeat API requests. An attacker can send a crafted Heartbeat request containing the wp-mainwp-stream-heartbeat data key to trigger code paths that return MainWP Child Reports activity log entries.
The plugin’s behavior, as described, allows authenticated attackers with Subscriber-level access and above to obtain activity log entries, including action summaries, user information, IP addresses, and contextual data. The root cause is the absence of a capability check (authorization) where one is expected, which corresponds to CWE-862.
How This Could Impact Your Website
On a multi-user WordPress site, the site owner and administrators rely on activity logs to monitor changes and user actions. If a contractor, contributor, or a low-privilege user account (Subscriber-level or higher) is able to craft a Heartbeat request that returns activity logs, the following practical consequences could occur:
- Exposure of internal user information such as usernames and email addresses present in activity entries.
- Exposure of IP addresses and contextual activity data that could be used to profile staff or contractors.
- Increased risk of targeted phishing or social engineering against staff whose emails or actions are visible in the logs.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other non-administrative accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior or unexpected access patterns.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L182
- https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L44
- https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L182
- https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L44
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490157%40mainwp-child-reports&new=3490157%40mainwp-child-reports&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b423-be03377a342d?source=cve
