MainWP Child Reports Missing Authorization Vulnerability in WordPress Heartbeat API

A missing authorization vulnerability has been identified in the MainWP Child Reports plugin for WordPress, affecting all versions up to and including 2.2.6. The issue arises from a lack of capability checks in the 'heartbeat_received' function of the Live_Update class. This vulnerability allows authenticated attackers with Subscriber-level access and above to access MainWP Child Reports activity log entries. The logs include action summaries, user information, IP addresses, and contextual data. The exploitation is done through the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive activity log data, including personal user information and IP addresses, which could be misused for malicious purposes.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a crafted heartbeat request via the WordPress Heartbeat API. The request must include the 'wp-mainwp-stream-heartbeat' data key. This can be done using a tool that allows manipulation of HTTP requests, such as Postman or a custom script, by targeting the WordPress site's Heartbeat API endpoint and including the necessary data.

Remediation

Users are advised to update the MainWP Child Reports plugin to version 2.3 or later, where this vulnerability has been patched.