Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for MainWP Dashboard: Self-hosted WordPress Management for Agencies by mainwp

    CVE-2016-15041 (GCVE-0-2016-15041)

    Vulnerability from nvd – Published: 2024-10-16 06:43 – Updated: 2026-04-08 17:14
    VLAI
    Title
    MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance Plugin <= 3.1.2 - Stored Cross-Site Scripting
    Summary
    The MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mwp_setup_purchase_username’ parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Jouko Pynnöne
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2016-15041",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T13:00:16.659388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T13:00:56.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MainWP Dashboard: Self-hosted WordPress Management for Agencies",
              "vendor": "mainwp",
              "versions": [
                {
                  "lessThan": "3.1.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jouko Pynn\u00f6ne"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MainWP Dashboard \u2013 The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018mwp_setup_purchase_username\u2019 parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:14:11.537Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9b1445f-3b6b-40fa-9a12-f55d63668dda?source=cve"
            },
            {
              "url": "https://klikki.fi/adv/mainwp.html"
            },
            {
              "url": "https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mainwp-dashboard-cross-site-scripting-3-1-2/"
            },
            {
              "url": "https://web.archive.org/web/20191101060009/https%3A//klikki.fi/adv/mainwp.html"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2016-04-29T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "MainWP Dashboard \u2013 The Private WordPress Manager for Multiple Website Maintenance Plugin \u003c= 3.1.2 - Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2016-15041",
        "datePublished": "2024-10-16T06:43:40.321Z",
        "dateReserved": "2024-10-15T18:37:02.156Z",
        "dateUpdated": "2026-04-08T17:14:11.537Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1642 (GCVE-0-2024-1642)

    Vulnerability from nvd – Published: 2024-03-13 15:26 – Updated: 2026-04-08 16:43
    VLAI
    Title
    MainWP Dashboard <= 4.6.0.1 - Cross-Site Request Forgery via posting_bulk
    Summary
    The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the 'posting_bulk' function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Krzysztof Zając
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1642",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-25T13:19:07.819381Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-25T13:20:27.540Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:48:21.690Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c2d9569-a551-46f5-8581-464b9f35b71c?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/mainwp/tags/4.6.0.1/pages/page-mainwp-post-page-handler.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3042125/mainwp/trunk/pages/page-mainwp-post-page-handler.php?old=3017011\u0026old_path=mainwp/trunk/pages/page-mainwp-post-page-handler.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MainWP Dashboard: Self-hosted WordPress Management for Agencies",
              "vendor": "mainwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.6.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Krzysztof Zaj\u0105c"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MainWP Dashboard  \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the \u0027posting_bulk\u0027 function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:43:50.015Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c2d9569-a551-46f5-8581-464b9f35b71c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/mainwp/tags/4.6.0.1/pages/page-mainwp-post-page-handler.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3042125/mainwp/trunk/pages/page-mainwp-post-page-handler.php?old=3017011\u0026old_path=mainwp/trunk/pages/page-mainwp-post-page-handler.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-27T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "MainWP Dashboard \u003c= 4.6.0.1 - Cross-Site Request Forgery via posting_bulk"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1642",
        "datePublished": "2024-03-13T15:26:41.285Z",
        "dateReserved": "2024-02-19T20:24:40.695Z",
        "dateUpdated": "2026-04-08T16:43:50.015Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6164 (GCVE-0-2023-6164)

    Vulnerability from nvd – Published: 2023-11-22 15:33 – Updated: 2026-04-08 17:00
    VLAI
    Title
    MainWP Dashboard <= 4.5.1.2 - Authenticated(Administrator+) CSS Injection
    Summary
    The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags.
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    Impacted products
    Credits
    Hüseyin TINTAŞ
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:21:17.824Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2\u0026old=2996628\u0026new_path=/mainwp/tags/4.5.1.3\u0026new=2996628\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MainWP Dashboard: Self-hosted WordPress Management for Agencies",
              "vendor": "mainwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.5.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "H\u00fcseyin TINTA\u015e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MainWP Dashboard  \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the \u2018newColor\u2019 parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 2.2,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:00:57.400Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2\u0026old=2996628\u0026new_path=/mainwp/tags/4.5.1.3\u0026new=2996628\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-10-20T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "MainWP Dashboard \u003c= 4.5.1.2 - Authenticated(Administrator+) CSS Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6164",
        "datePublished": "2023-11-22T15:33:28.411Z",
        "dateReserved": "2023-11-15T18:33:03.654Z",
        "dateUpdated": "2026-04-08T17:00:57.400Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2016-15041 (GCVE-0-2016-15041)

    Vulnerability from cvelistv5 – Published: 2024-10-16 06:43 – Updated: 2026-04-08 17:14
    VLAI
    Title
    MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance Plugin <= 3.1.2 - Stored Cross-Site Scripting
    Summary
    The MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mwp_setup_purchase_username’ parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Jouko Pynnöne
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2016-15041",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T13:00:16.659388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T13:00:56.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MainWP Dashboard: Self-hosted WordPress Management for Agencies",
              "vendor": "mainwp",
              "versions": [
                {
                  "lessThan": "3.1.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jouko Pynn\u00f6ne"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MainWP Dashboard \u2013 The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018mwp_setup_purchase_username\u2019 parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:14:11.537Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9b1445f-3b6b-40fa-9a12-f55d63668dda?source=cve"
            },
            {
              "url": "https://klikki.fi/adv/mainwp.html"
            },
            {
              "url": "https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mainwp-dashboard-cross-site-scripting-3-1-2/"
            },
            {
              "url": "https://web.archive.org/web/20191101060009/https%3A//klikki.fi/adv/mainwp.html"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2016-04-29T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "MainWP Dashboard \u2013 The Private WordPress Manager for Multiple Website Maintenance Plugin \u003c= 3.1.2 - Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2016-15041",
        "datePublished": "2024-10-16T06:43:40.321Z",
        "dateReserved": "2024-10-15T18:37:02.156Z",
        "dateUpdated": "2026-04-08T17:14:11.537Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1642 (GCVE-0-2024-1642)

    Vulnerability from cvelistv5 – Published: 2024-03-13 15:26 – Updated: 2026-04-08 16:43
    VLAI
    Title
    MainWP Dashboard <= 4.6.0.1 - Cross-Site Request Forgery via posting_bulk
    Summary
    The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the 'posting_bulk' function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Krzysztof Zając
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1642",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-25T13:19:07.819381Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-25T13:20:27.540Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:48:21.690Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c2d9569-a551-46f5-8581-464b9f35b71c?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/mainwp/tags/4.6.0.1/pages/page-mainwp-post-page-handler.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3042125/mainwp/trunk/pages/page-mainwp-post-page-handler.php?old=3017011\u0026old_path=mainwp/trunk/pages/page-mainwp-post-page-handler.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MainWP Dashboard: Self-hosted WordPress Management for Agencies",
              "vendor": "mainwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.6.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Krzysztof Zaj\u0105c"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MainWP Dashboard  \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the \u0027posting_bulk\u0027 function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:43:50.015Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c2d9569-a551-46f5-8581-464b9f35b71c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/mainwp/tags/4.6.0.1/pages/page-mainwp-post-page-handler.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3042125/mainwp/trunk/pages/page-mainwp-post-page-handler.php?old=3017011\u0026old_path=mainwp/trunk/pages/page-mainwp-post-page-handler.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-27T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "MainWP Dashboard \u003c= 4.6.0.1 - Cross-Site Request Forgery via posting_bulk"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1642",
        "datePublished": "2024-03-13T15:26:41.285Z",
        "dateReserved": "2024-02-19T20:24:40.695Z",
        "dateUpdated": "2026-04-08T16:43:50.015Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6164 (GCVE-0-2023-6164)

    Vulnerability from cvelistv5 – Published: 2023-11-22 15:33 – Updated: 2026-04-08 17:00
    VLAI
    Title
    MainWP Dashboard <= 4.5.1.2 - Authenticated(Administrator+) CSS Injection
    Summary
    The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags.
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    Impacted products
    Credits
    Hüseyin TINTAŞ
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:21:17.824Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2\u0026old=2996628\u0026new_path=/mainwp/tags/4.5.1.3\u0026new=2996628\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MainWP Dashboard: Self-hosted WordPress Management for Agencies",
              "vendor": "mainwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.5.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "H\u00fcseyin TINTA\u015e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MainWP Dashboard  \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the \u2018newColor\u2019 parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 2.2,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:00:57.400Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2\u0026old=2996628\u0026new_path=/mainwp/tags/4.5.1.3\u0026new=2996628\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-10-20T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "MainWP Dashboard \u003c= 4.5.1.2 - Authenticated(Administrator+) CSS Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6164",
        "datePublished": "2023-11-22T15:33:28.411Z",
        "dateReserved": "2023-11-15T18:33:03.654Z",
        "dateUpdated": "2026-04-08T17:00:57.400Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }