CVE-2026-4299

Name of the Vulnerable Software and Affected Versions MainWP Child Reports versions up to and including 2.2.6

Description The MainWP Child Reports plugin for WordPress has a missing authorization check in the heartbeat received() function within the Live Update class. This allows authenticated attackers with Subscriber-level access or higher to retrieve MainWP Child Reports activity log entries, including action summaries, user information, IP addresses, and contextual data, through the WordPress Heartbeat API by sending a crafted heartbeat request with the wp-mainwp-stream-heartbeat data key.

Recommendations Update MainWP Child Reports to a version later than 2.2.6.