WordPress’s MainWP Child Plugin has vulnerability… and it is very much exploitable.
Mickael Nadeau, Sucuri’s security and vulnerability researcher, revealed the finding in his blog post on Monday.
“This vulnerability allows anyone to login as an administrator only by knowing the target user’s handle (password bypass). It is very simple to exploit and a big deal as security tools like WPScan already automate the process of grabbing a list of usernames from WordPress sites.”
The developers have been notified by Sucuri about this problem and they have spontaneously addressed it in WordPress’s version18.104.22.168. This plugin is used as a remote administration tool by users and it already has been installed around 90,000 times. Users are now being urged by developers to get the plugin updated.