CVE-2026-57327 MEDIUM

CVE-2026-57327: WordPress MainWP plugin <= 6.1.1 - Broken Access Control vulnerability

Vendor Mainwp
Product MainWP
Weakness CWE-862 · Missing authorization
Published June 29, 2026
Last update June 29, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Subscriber Broken Access Control in MainWP <= 6.1.1 versions.

Explanation of Vulnerability in Simple Terms

02Summary

MainWP versions up to 6.1.1 lack proper authorization checks, allowing authenticated users with low privileges to read, modify, or disrupt site data. An attacker with a standard user account can access functionality that should be restricted to administrators. Update to version 6.1.2 or later to restore proper access controls.

What an attacker can do

03Attacker Capabilities

Read, modify, or disrupt site data without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can access admin-level features, risking data exposure and site integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the MainWP installation.

Key dates

06Disclosure timeline

June 29, 2026 CVE published

Related vulnerabilities

08Related CVE

CVE-2023-5426 Post Meta Data Manager <=1.2.0 - Missing Authorization to User, Term, and Post Meta Deletion CVE-2025-24642 WordPress Setup Default Featured Image plugin <= 1.2 - Broken Access Control vulnerability CVE-2023-47776 WordPress miniorange otp verification plugin <= 4.2.1 - Broken Access Control vulnerability CVE-2026-32437 WordPress VW Portfolio theme <= 1.3.3 - Broken Access Control vulnerability CVE-2025-15043 The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control