{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4299", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T19:23:21.908Z", "datePublished": "2026-04-08T03:36:09.655Z", "dateUpdated": "2026-04-08T17:02:53.164Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:53.164Z"}, "affected": [{"vendor": "mainwp", "product": "MainWP Child Reports", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key."}], "title": "MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b423-be03377a342d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L182"}, {"url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L182"}, {"url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L44"}, {"url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L44"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490157%40mainwp-child-reports&new=3490157%40mainwp-child-reports&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hunter Jensen"}], "timeline": [{"time": "2026-03-16T20:41:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T15:21:54.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key."}], "id": "CVE-2026-4299", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T05:16:06.520", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L182"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L44"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L182"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L44"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490157%40mainwp-child-reports&new=3490157%40mainwp-child-reports&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b423-be03377a342d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MainWP Child Reports", "source": "cna", "vendor": "mainwp"}, "product": "mainwp_child_reports", "vendor": "mainwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T05:50:21.154581+00:00", "value": {"mitigation_remediation": ["Upgrade the MainWP Child Reports plugin to the latest version, which implements the missing capability check in heartbeat_received().", "If an immediate update is not possible, limit the wp-mainwp-stream-heartbeat action by disabling it in the plugin settings or blocking the endpoint via web server configuration.", "After applying the fix, test that Subscriber-level accounts cannot retrieve activity logs through a crafted heartbeat request.", "Continuously monitor the activity logs for unauthorized access attempts and review user permissions regularly."], "summary": {"action": "Patch Now", "impact": "Information Disclosure via Heartbeat API"}, "threat_synthesis": {"affected_systems": "All WordPress sites running MainWP Child Reports up to and including version 2.2.6 are impacted. The vulnerability originates in the Live_Update class\u2019s heartbeat_received() function within the plugin.", "description_and_impact": "The MainWP Child Reports plugin fails to verify user capabilities when handling heartbeat requests, allowing any authenticated user with Subscriber-level access or higher to fetch activity log entries over the WordPress Heartbeat API. These logs expose action summaries, user identities, IP addresses, and contextual information that could aid further attacks or compromise site integrity.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity: exploitation requires valid credentials but no privileged access. Although the exploit is not included in public known exploit catalogs, the ability to read sensitive logs represents a significant risk for reconnaissance and credential compromise. Administrators should prioritize remediation and monitor for anomalous log access."}}}}, "created": "2026-04-08T19:33:24.814366+00:00", "updated": "2026-04-08T19:44:00.799467+00:00", "vendors": ["mainwp", "mainwp$PRODUCT$mainwp_child_reports", "wordpress", "wordpress$PRODUCT$wordpress"]}