CVE-2026-57327
Received Received - Intake

Subscriber Broken Access Control in MainWP <= 6.1.1

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Patchstack

Description
Subscriber Broken Access Control in MainWP <= 6.1.1 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-57327
EUVD
EUVD-2026-40098

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
mainwp mainwp to 6.1.1 (inc)
mainwp mainwp_plugin to 6.1.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress MainWP Plugin versions 6.1.1 and earlier contain a Broken Access Control vulnerability (CVE-2026-57327). This means that unprivileged users can perform actions that should require higher privileges because the plugin lacks proper authorization, authentication, or nonce token checks.

This vulnerability is categorized as medium priority with a CVSS score of 6.3 and falls under the OWASP Top 10 category A1 (Broken Access Control).

Impact Analysis

This vulnerability allows attackers or unprivileged users to perform higher-privileged actions on affected websites, potentially compromising the integrity, confidentiality, and availability of the site.

It is considered moderately dangerous and may be exploited in mass campaigns targeting thousands of websites, increasing the risk of widespread damage.

Immediate action is recommended to update the plugin to version 6.1.2 or later, or to apply mitigation measures such as blocking attacks via rules provided by Patchstack.

Detection Guidance

The vulnerability allows unprivileged users to perform higher-privileged actions due to missing authorization, authentication, or nonce token checks. Detection typically involves monitoring for unauthorized access attempts or suspicious activity targeting the MainWP plugin versions 6.1.1 and earlier.

No specific detection commands or tools are provided in the available resources. It is recommended to monitor web server logs for unusual requests to the MainWP plugin endpoints and to use web application firewalls (WAF) with rules designed to detect broken access control attempts.

Mitigation Strategies

Immediate mitigation steps include updating the MainWP plugin to version 6.1.2 or later, which contains the fix for this broken access control vulnerability.

If updating is not possible immediately, users should seek assistance from their hosting provider or web developer.

Additionally, Patchstack has provided a mitigation rule to block attacks targeting this vulnerability until the plugin can be updated.

Compliance Impact

The vulnerability is a Broken Access Control issue that allows unprivileged users to perform higher-privileged actions due to missing authorization, authentication, or nonce token checks.

Such unauthorized access can lead to unauthorized disclosure, modification, or deletion of sensitive data, which may impact compliance with data protection standards and regulations like GDPR and HIPAA.

Because the vulnerability can be exploited in mass campaigns targeting thousands of websites, organizations using affected versions of the MainWP plugin may face increased risk of data breaches or unauthorized data access, potentially resulting in non-compliance with these regulations.

Immediate remediation by updating the plugin or applying mitigation measures is recommended to reduce the risk of compliance violations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57327. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart