cleantalk
Vulnerabilities and Security Researches

MainWP Child Reports, CVE-2026-4299

CVE, Research URL

CVE-2026-4299

Home page URL

Security reports for MainWP Child Reports

Application

MainWP Child Reports

Published on
Apr 08, 2026
Research Description
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.
Affected versions
max 2.3.
Status
vulnerable
Previous vulnerability researches
MainWP Child Reports (CVE-2024-33680) , Jun 06, 2024
MainWP Child Reports (CVE-2021-24754) , Jun 06, 2024
MainWP Child Reports (CVE-2026-4299) , Apr 13, 2026
MainWP Child Reports (CVE-2024-7492) , Aug 09, 2024
MainWP Child – Securely Connects Sites to the MainWP WordPress Manager Dashboard , Mar 30, 2026
New vulnerability
Page Builder Gutenberg Blocks – CoBlocks (CVE-2026-4801) , Apr 20, 2026
Categories Images (CVE-2026-2505) , Apr 20, 2026
Contextual Related Posts (CVE-2026-2986) , Apr 20, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-8615) , Apr 20, 2026
Hostel (CVE-2026-1838) , Apr 20, 2026