CVE-2026-27366
Deferred Deferred - Pending Action
Unauthenticated Broken Access Control in MainWP Child

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Patchstack

Description
Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-27366
EUVD
EUVD-2026-39362
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mainwp mainwp_child to 6.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the MainWP Child plugin allows unauthenticated attackers to perform privileged actions due to broken access control, which can lead to unauthorized access and potential data breaches.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Therefore, exploitation of this vulnerability could result in violations of these regulations, leading to legal and financial consequences for affected organizations.

Executive Summary

The WordPress MainWP Child Plugin, versions 6.1.1 and earlier, contains a high-priority Broken Access Control vulnerability (CVE-2026-27366). This flaw allows unauthenticated attackers to perform privileged actions because the plugin lacks proper authorization checks.

Exploitation requires a privileged user to interact with a malicious link, crafted page, or form, which then enables the attacker to bypass access controls.

This vulnerability is categorized under OWASP Top 10's A1: Broken Access Control and has a CVSS severity score of 7.5, indicating a high risk.

Impact Analysis

This vulnerability can allow unauthenticated attackers to perform privileged actions on affected websites, potentially compromising the integrity, confidentiality, and availability of the site.

Successful exploitation could lead to mass-exploit campaigns targeting thousands of websites using the vulnerable plugin.

The impact includes high confidentiality, integrity, and availability losses, as indicated by the CVSS score.

Immediate action is advised to update the plugin to version 6.1.2 or later to mitigate these risks.

Mitigation Strategies

The immediate recommended step is to update the WordPress MainWP Child Plugin to version 6.1.2 or later.

If updating the plugin is not possible immediately, you should seek assistance from your hosting provider or a web developer.

Additionally, Patchstack has issued a mitigation rule that can be applied to block attacks targeting this vulnerability until the plugin is updated.

Detection Guidance

The vulnerability in the WordPress MainWP Child Plugin (versions 6.1.1 and earlier) is a broken access control issue that allows unauthenticated attackers to perform privileged actions. Detection typically involves monitoring for suspicious requests that attempt to exploit missing authorization checks.

Patchstack has issued a mitigation rule to block attacks until the plugin is updated, which can be used as a temporary defense.

However, the provided resources do not include specific commands or detailed detection methods for identifying exploitation attempts on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart