700,000 WordPress Sites Vulnerable to Takeover, No Fix Available

MainWP, a plugin widely used for managing multiple WordPress sites from a single dashboard, has left a critical security vulnerability unpatched, despite being informed of the issue.

This flaw, present in the MainWP Child plugin used by over 700,000 websites, permits unauthorized attackers to access websites with administrator privileges, potentially compromising sensitive data and user trust.

Authentication bypass problem

The vulnerability, classified as an authentication bypass, exists within the MainWP Child plugin due to an insecure connection setup between the MainWP Child and Dashboard plugins. When linking a MainWP Child site to a central Dashboard, the only required information is the site's URL and the administrator username — no password is necessary. This weak verification process allows attackers to exploit the connection and gain admin access simply by submitting a username, bypassing password checks entirely.

Within the plugin's register_site function, the setup process includes checks for certain parameters, such as user and pubkey. However, if both are supplied, the plugin's login function grants administrative access without enforcing a password requirement. This design flaw leaves sites with unprotected MainWP Child installations vulnerable to unauthorized logins. Notably, sites are only protected if they manually enable the “Require unique security ID” feature, which is off by default, thus leaving many installations exposed.

The flaw has been assigned a CVSS score of 9.2 (Critical) and is tracked as CVE-2024-10783.

Disclosure and response

Security researcher Sean Murphy, who identified the issue, disclosed it to MainWP and to Wordfence's bug bounty program. On November 2, 2024, Wordfence initially validated the report but later ruled the issue out of scope, describing it as a “known feature” rather than a vulnerability. Wordfence explained that this functionality, documented in MainWP's usage guidelines, was intentional and included user warnings. MainWP directly rejected the report on November 11, asserting the design's validity and confirming that the software “works as designed,” thus declining to patch the issue.

Murphy expressed dismay over MainWP's stance, pointing out that this is not the first instance of an authentication bypass vulnerability in the MainWP Child plugin. Similar flaws have been found and patched in the past, raising questions about MainWP's decision not to address this current vulnerability. Murphy argues that MainWP's approach fails to balance usability with necessary security protections.

Implications and security recommendations

MainWP's refusal to patch this vulnerability exposes managed sites to a substantial risk of takeover attacks, especially if left unconnected to a dashboard or if security configurations remain at default settings. The vendor's position underscores a fundamental disagreement over the nature of security risks: whereas many in the cybersecurity field consider insecure design a vulnerability in itself, MainWP and Wordfence's decisions suggest otherwise, emphasizing intention over security outcomes.

For WordPress site administrators using MainWP Child, Murphy has recommended alternative security measures, such as enabling the “Require unique security ID” option, which, when configured, provides an additional verification layer. Additionally, security providers can deploy virtual patches on web application firewalls to detect and mitigate potential exploit attempts. Murphy provided a proof-of-concept (PoC) exploit, primarily for security teams, to help them recognize malicious activity targeting this vulnerability.

Website admins are recommended to perform the following actions:

• Enable “Require unique security ID” to prevent unauthorized logins.
• Use a Web Application Firewall (WAF) to detect and block exploit attempts by analyzing request patterns based on known attack signatures.
• Keep all plugins, themes, and WordPress core updated, and assess installed plugins for potential risks, including intentional design flaws that could jeopardize security.