Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

Anyone else get a 'Vulnerability in MainWP Child WordPress plugin' notice?

  • 11-03-2015 2:10pm
    #1
    route9
    Registered Users Posts: 326 ✭✭


    Hey guys,

    I got this notice via email from www.wordfence.com this morning - did anyone else get it? Something about child themes and adding a site to my main WP dashboard...I only have one site per installation so not sure what to do. I have just upgraded the MainWP Child WordPress plugin and it is giving me another notice now.

    Here is the email:

    There is a serious privilege escalation vulnerability in the MainWP Child WordPress plugin. This plugin has over 90,000 active installs. The vulnerability allows an attacker to log into a vulnerable website bypassing the password authentication mechanism that WordPress provides.

    What to do: Upgrade immediately to version 2.0.9.2 which was released last Friday and fixes this specific issue.

    We have seen less than 10,000 downloads of this plugin since the fix was released and WordPress.org estimates 90,000 active installs are out there, so please help spread the word to the rest of the WordPress community about this issue.
    Regards,

    Mark Maunder
    Wordfence Founder & CEO


    And here is the notice I now get when I log into my WP admin:

    Attention!

    Please add this site to your MainWP Dashboard NOW or deactivate the MainWP Child plugin until you are ready to do so to avoid unexpected security issues.

    Any ideas...?


Comments

  • #2
    Xennon
    Registered Users Posts: 931 ✭✭✭Xennon


    http://blog.sucuri.net/2015/03/security-advisory-mainwp-child-wordpress-plugin.html


  • #3
    route9
    Registered Users Posts: 326 ✭✭route9


    I googled earlier and got links like that but they didn't mention what you had to do after getting the notice I got after upgrading. I'm just after realising that I didn't even have that plug-in to begin with, so I've just deleted the one I installed!

    As it says in the comments of that article:

    I don't understand something!
    I'm not using this Plug-in, but I did get an email from you guys telling me to update it.
    Why did I get the email if I'm not using it?

    It's much easier to send out a mass-email rather than try to target just those people who use the plugin (especially when the plugin is so widely used as this one).

    Seems a bit reckless for Wordfence not to mention that you may not even have the plugin and don't need to do anything if not! A blanket email like that should come with a caveat attached..


Advertisement