The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.
The MainWP Child Reports plugin for WordPress contains a missing authorization vulnerability in versions up to 2.2.6 that allows authenticated subscribers to access sensitive activity log data through the Heartbeat API. Attackers can retrieve action summaries, user information, IP addresses, and contextual data without proper capability checks.
يحتوي مكون MainWP Child Reports على ثغرة نقص التفويض في جميع الإصدارات حتى 2.2.6 حيث يفتقد فحص القدرات في دالة heartbeat_received(). يمكن للمهاجمين المصرح لهم على مستوى المشترك الوصول إلى بيانات سجل النشاط الحساسة عبر WordPress Heartbeat API.
The MainWP Child Reports plugin for WordPress contains a missing authorization vulnerability in versions up to 2.2.6 that allows authenticated subscribers to access sensitive activity log data through the Heartbeat API. Attackers can retrieve action summaries, user information, IP addresses, and contextual data without proper capability checks.
Update the MainWP Child Reports plugin to version 2.2.7 or later immediately. Implement capability checks in the heartbeat_received() function to restrict access to authorized administrators only. Review access logs for unauthorized activity log access attempts.
قم بتحديث مكون MainWP Child Reports إلى الإصدار 2.2.7 أو أحدث فوراً. قم بتنفيذ فحوصات القدرات في دالة heartbeat_received() لتقييد الوصول للمسؤولين المصرح لهم فقط. راجع سجلات الوصول للتحقق من محاولات الوصول غير المصرح بها.