Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Anyone else get a 'Vulnerability in MainWP Child WordPress plugin' notice?

  • 11-03-2015 1:10pm
    #1
    route9
    Registered Users, Registered Users 2 Posts: 326 ✭✭


    Hey guys,

    I got this notice via email from www.wordfence.com this morning - did anyone else get it? Something about child themes and adding a site to my main WP dashboard...I only have one site per installation so not sure what to do. I have just upgraded the MainWP Child WordPress plugin and it is giving me another notice now.

    Here is the email:

    There is a serious privilege escalation vulnerability in the MainWP Child WordPress plugin. This plugin has over 90,000 active installs. The vulnerability allows an attacker to log into a vulnerable website bypassing the password authentication mechanism that WordPress provides.

    What to do: Upgrade immediately to version 2.0.9.2 which was released last Friday and fixes this specific issue.

    We have seen less than 10,000 downloads of this plugin since the fix was released and WordPress.org estimates 90,000 active installs are out there, so please help spread the word to the rest of the WordPress community about this issue.
    Regards,

    Mark Maunder
    Wordfence Founder & CEO


    And here is the notice I now get when I log into my WP admin:

    Attention!

    Please add this site to your MainWP Dashboard NOW or deactivate the MainWP Child plugin until you are ready to do so to avoid unexpected security issues.

    Any ideas...?


Comments

  • #2
    Xennon
    Registered Users, Registered Users 2 Posts: 931 ✭✭✭Xennon


    http://blog.sucuri.net/2015/03/security-advisory-mainwp-child-wordpress-plugin.html


  • #3
    route9
    Registered Users, Registered Users 2 Posts: 326 ✭✭route9


    I googled earlier and got links like that but they didn't mention what you had to do after getting the notice I got after upgrading. I'm just after realising that I didn't even have that plug-in to begin with, so I've just deleted the one I installed!

    As it says in the comments of that article:

    I don't understand something!
    I'm not using this Plug-in, but I did get an email from you guys telling me to update it.
    Why did I get the email if I'm not using it?

    It's much easier to send out a mass-email rather than try to target just those people who use the plugin (especially when the plugin is so widely used as this one).

    Seems a bit reckless for Wordfence not to mention that you may not even have the plugin and don't need to do anything if not! A blanket email like that should come with a caveat attached..


Advertisement