Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

mainwp — Vulnerabilities & Security Advisories 20

Browse all 20 CVE security advisories affecting mainwp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

MainWP is an open-source WordPress management plugin enabling centralized administration of multiple sites from a single dashboard. Its architecture, which relies on remote API communication between a master site and connected child sites, has historically introduced significant security risks. Security researchers have identified numerous vulnerabilities, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and Privilege Escalation flaws, often stemming from insufficient input validation and weak authentication mechanisms in the communication protocol. These defects allow attackers to potentially execute arbitrary code or manipulate site configurations remotely. While the project maintains an active development cycle to patch these issues, the complexity of its distributed system design continues to attract exploitation attempts. The presence of twenty recorded CVEs underscores the critical importance of rigorous code auditing and timely updates for administrators relying on this tool for bulk site management.

Top products by mainwp: MainWP Dashboard: Self-hosted WordPress Management for Agencies MainWP Child Reports MainWP Code Snippets Extension MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites MainWP Matomo Extension MainWP Maintenance Extension MainWP Broken Links Checker Extension MainWP Google Analytics Extension MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance MainWP Wordfence Extension MainWP File Uploader Extension MainWP Links Manager Extension MainWP UpdraftPlus Extension MainWP Staging Extension
CVE IDTitleCVSSSeverityPublished
CVE-2026-4299 MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API — MainWP Child ReportsCWE-862 5.3 Medium2026-04-08
CVE-2024-10783 MainWP Child <= 5.3.3 - Missing Authorization to Unauthenticated Privilege Escalation — MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple SitesCWE-862 8.1 High2024-12-13
CVE-2016-15041 MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance Plugin <= 3.1.2 - Stored Cross-Site Scripting — MainWP Dashboard: Self-hosted WordPress Management for AgenciesCWE-79 7.2 High2024-10-16
CVE-2024-7492 MainWP Child Reports <= 2.2 - Cross-Site Request Forgery to Arbitrary Options Update — MainWP Child ReportsCWE-352 8.8 High2024-08-08
CVE-2023-23640 WordPress MainWP UpdraftPlus Extension Plugin <= 4.0.6 - Subscriber+ Arbitrary Plugin Activation Vulnerability — MainWP UpdraftPlus ExtensionCWE-862 5.4 Medium2024-06-09
CVE-2023-23639 WordPress MainWP Staging Extension Plugin <= 4.0.3 - Subscriber+ Arbitrary Plugin Activation Vulnerability — MainWP Staging ExtensionCWE-862 5.4 Medium2024-06-09
CVE-2023-23645 WordPress MainWP Code Snippets Extension Plugin <= 4.0.2 - Subscriber+ Arbitrary PHP Code Injection/Execution Vulnerability — MainWP Code Snippets ExtensionCWE-94 9.9 Critical2024-05-17
CVE-2024-33680 WordPress MainWP Child Reports plugin <= 2.1.1 - Cross Site Request Forgery (CSRF) vulnerability — MainWP Child ReportsCWE-352 5.4 Medium2024-04-26
CVE-2023-23649 WordPress MainWP Links Manager Extension Plugin <= 2.1 - Unauthenticated PHP Object Injection Vulnerability — MainWP Links Manager ExtensionCWE-502 8.1 High2024-03-28
CVE-2023-23656 WordPress MainWP File Uploader Extension Plugin <= 4.1 - Unauthenticated Arbitrary File Upload Vulnerability — MainWP File Uploader ExtensionCWE-434 10.0 Critical2024-03-26
CVE-2023-22699 WordPress MainWP Wordfence Extension Plugin <= 4.0.7 - Subscriber+ Arbitrary Plugin Activation Vulnerability — MainWP Wordfence ExtensionCWE-862 5.4 Medium2024-03-25
CVE-2024-1642 MainWP Dashboard <= 4.6.0.1 - Cross-Site Request Forgery via posting_bulk — MainWP Dashboard: Self-hosted WordPress Management for AgenciesCWE-352 4.3 Medium2024-03-13
CVE-2023-38519 WordPress MainWP Plugin <= 4.4.3.3 is vulnerable to SQL Injection — MainWP Dashboard – WordPress Manager for Multiple Websites MaintenanceCWE-89 7.6 High2023-12-20
CVE-2023-6164 MainWP Dashboard <= 4.5.1.2 - Authenticated(Administrator+) CSS Injection — MainWP Dashboard: Self-hosted WordPress Management for AgenciesCWE-74 2.2 Low2023-11-22
CVE-2023-23737 WordPress MainWP Broken Links Checker Extension Plugin <= 4.0 is vulnerable to SQL Injection — MainWP Broken Links Checker ExtensionCWE-89 9.3 Critical2023-10-12
CVE-2023-23651 WordPress MainWP Google Analytics Extension Plugin <= 4.0.4 - SQL Injection vulnerability — MainWP Google Analytics ExtensionCWE-89 8.5 High2023-10-12
CVE-2023-23660 WordPress MainWP Maintenance Extension Plugin <= 4.1.1 is vulnerable to SQL Injection — MainWP Maintenance ExtensionCWE-89 8.5 High2023-07-18
CVE-2023-3132 MainWP Child <= 4.4.1.1 - Information Disclosure via Back-Up Files — MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple SitesCWE-200 5.9 Medium2023-06-27
CVE-2023-23650 WordPress MainWP Code Snippets Extension Plugin <= 4.0.2 is vulnerable to Cross Site Scripting (XSS) — MainWP Code Snippets ExtensionCWE-79 6.5 Medium2023-03-23
CVE-2023-23659 WordPress MainWP Matomo Extension Plugin <= 4.0.4 is vulnerable to Cross Site Request Forgery (CSRF) — MainWP Matomo ExtensionCWE-352 4.3 Medium2023-02-23

This page lists every published CVE security advisory associated with mainwp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.