WP-Safety

MainWP Child Reports Security & Risk Analysis

wordpress.org/plugins/mainwp-child-reports

The MainWP Child Report plugin tracks changes to Child sites for the Pro Reports Extension.

100K active installs v2.3.1 PHP 7.4+ WP 6.0+ Updated Apr 15, 2026
child-reportsmainwpmainwp-childmainwp-child-reportsmainwp-pro-reports-extension
92
A · Safe
CVEs total4
Unpatched0
Last CVEApr 7, 2026
Plugin page Download
Safety Verdict

Is MainWP Child Reports Safe to Use in 2026?

Generally Safe

Score 92/100

MainWP Child Reports has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Apr 7, 2026Updated 1mo ago
Risk Assessment

The mainwp-child-reports plugin v2.2.6 demonstrates a generally strong security posture with excellent output escaping and a high percentage of prepared SQL statements. The absence of critical or high-severity taint flows and the presence of numerous nonce and capability checks are positive indicators. However, the plugin has a history of significant vulnerabilities, including two high-severity SQL injection flaws and a medium-severity CSRF issue. While there are no currently unpatched CVEs, this history suggests a recurring pattern of insecure coding practices that have led to past exploits. The presence of one AJAX handler without authentication checks represents a direct, exploitable entry point that significantly undermines the overall security, especially given the plugin's past SQL injection issues.

Key Concerns

  • AJAX handler without auth check
  • History of 2 High Severity CVEs
  • History of 1 Medium Severity CVE
Vulnerabilities
4 published

MainWP Child Reports Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
2

4 total CVEs

CVE-2026-4299medium · 5.3Missing Authorization

MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API

Apr 7, 2026 Patched in 2.3 (1d)
CVE-2024-7492high · 8.8Cross-Site Request Forgery (CSRF)

MainWP Child Reports <= 2.2 - Cross-Site Request Forgery to Arbitrary Options Update

Aug 7, 2024 Patched in 2.2.1 (1d)
CVE-2024-33680medium · 4.3Cross-Site Request Forgery (CSRF)

MainWP Child Reports <= 2.1.1 - Cross-Site Request Forgery

Apr 26, 2024 Patched in 2.2 (6d)
CVE-2021-24754high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

MainWP Child Reports <= 2.0.7 - Admin+ SQL Injection

Sep 20, 2021 Patched in 2.0.8 (855d)
Version History

MainWP Child Reports Release Timeline

v2.3.1Current
v2.358 files changed
v2.2.61 CVE5 files changed
CVE-2026-4299
v2.2.51 CVE3 files changed
CVE-2026-4299
v2.2.41 CVE6 files changed
CVE-2026-4299
v2.2.31 CVE6 files changed
CVE-2026-4299
v2.2.21 CVE4 files changed
CVE-2026-4299
v2.2.11 CVE22 files changed
CVE-2026-4299
v2.22 CVEs11 files changed
CVE-2026-4299 CVE-2024-7492
v2.1.13 CVEs8 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492
v2.13 CVEs102 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492
v2.0.83 CVEs18 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492
v2.0.74 CVEs6 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492 +1 more
v2.0.64 CVEs63 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492 +1 more
v2.0.54 CVEs61 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492 +1 more
v2.0.44 CVEs10 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492 +1 more
v2.0.34 CVEs4 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492 +1 more
v2.0.24 CVEs11 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492 +1 more
v2.0.14 CVEs14 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492 +1 more
v2.04 CVEs316 files changed
CVE-2024-33680 CVE-2026-4299 CVE-2024-7492 +1 more
Code Analysis
Analyzed Mar 16, 2026

MainWP Child Reports Code Analysis

Dangerous Functions
0
Raw SQL Queries
11
42 prepared
Unescaped Output
11
302 escaped
Nonce Checks
13
Capability Checks
11
File Operations
1
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

79% prepared53 total queries

Output Escaping

96% escaped313 total outputs
Attack Surface
1 unprotected

MainWP Child Reports Attack Surface

Entry Points7
Unprotected1

AJAX Handlers 7

authwp_ajax_wp_mainwp_stream_resetclasses\class-admin.php:115
authwp_ajax_wp_mainwp_stream_filtersclasses\class-admin.php:138
authwp_ajax_wp_mainwp_stream_uninstallclasses\class-db-driver-wpdb.php:188
authwp_ajax_mainwp_stream_enable_live_updateclasses\class-live-update.php:47
authwp_ajax_mainwp_stream_get_usersclasses\class-settings.php:89
authwp_ajax_mainwp_stream_get_ipsclasses\class-settings.php:92
authwp_ajax_mainwp_stream_get_actionsclasses\class-settings.php:93
WordPress Hooks 70
actioninitclasses\class-admin.php:74
actionadmin_noticesclasses\class-admin.php:98
actionshutdownclasses\class-admin.php:99
filteradmin_body_classclasses\class-admin.php:102
actionadmin_enqueue_scriptsclasses\class-admin.php:105
actionadmin_enqueue_scriptsclasses\class-admin.php:112
actionwp_loadedclasses\class-admin.php:128
actionwp_mainwp_stream_auto_purgeclasses\class-admin.php:129
actionshutdownclasses\class-admin.php:196
actionshutdownclasses\class-connector.php:254
actionadmin_initclasses\class-export.php:35
actionwp_mainwp_stream_record_actions_menuclasses\class-export.php:36
filtermainwp_stream_records_per_pageclasses\class-export.php:65
filterwp_mainwp_stream_list_table_columnsclasses\class-export.php:66
actioninitclasses\class-install.php:50
actionwp_mainwp_stream_before_db_noticesclasses\class-install.php:53
actionwp_mainwp_child_reposts_recreate_tables_if_not_existclasses\class-install.php:54
actionall_admin_noticesclasses\class-install.php:121
filterscreen_settingsclasses\class-list-table.php:57
filterset-screen-optionclasses\class-list-table.php:61
filterheartbeat_receivedclasses\class-live-update.php:44
actionadmin_menuclasses\class-mainwp-child-report-helper.php:47
filtermainwp_wp_stream_settings_form_actionclasses\class-mainwp-child-report-helper.php:48
filterupdraftplus_save_last_backupclasses\class-mainwp-child-report-helper.php:49
actionmainwp_child_reports_logclasses\class-mainwp-child-report-helper.php:51
filterall_pluginsclasses\class-mainwp-child-report-helper.php:52
filterplugin_row_metaclasses\class-mainwp-child-report-helper.php:53
filterwp_mainwp_stream_settings_option_fieldsclasses\class-mainwp-child-report-helper.php:54
filtermainwp_child_init_subpagesclasses\class-mainwp-child-report-helper.php:83
filterwp_mainwp_stream_query_argsclasses\class-network.php:38
actioninitclasses\class-network.php:47
actionnetwork_admin_noticesclasses\class-network.php:49
actionwpmuadmineditclasses\class-network.php:50
filterwp_mainwp_stream_blog_id_loggedclasses\class-network.php:54
filterwp_mainwp_stream_admin_page_titleclasses\class-network.php:55
filterwp_mainwp_stream_list_table_screen_idclasses\class-network.php:56
filterwp_mainwp_stream_list_table_filtersclasses\class-network.php:57
filterwp_mainwp_stream_list_table_columnsclasses\class-network.php:58
filterwp_mainwp_stream_settings_form_actionclasses\class-network.php:59
filterwp_mainwp_stream_settings_form_descriptionclasses\class-network.php:60
filterwp_mainwp_stream_serialized_labelsclasses\class-network.php:61
filterwp_mainwp_stream_connectorsclasses\class-network.php:62
actionplugins_loadedclasses\class-plugin.php:99
actioninitclasses\class-plugin.php:105
actionplugins_loadedclasses\class-plugin.php:108
actionmainwp_child_reports_add_logclasses\class-plugin.php:124
actionadmin_initclasses\class-settings.php:66
filterwp_mainwp_stream_serialized_labelsclasses\class-settings.php:80
filteruser_search_columnsclasses\class-settings.php:127
filterwp_mainwp_stream_log_dataconnectors\class-connector-acf.php:122
actionshutdownconnectors\class-connector-acf.php:258
filterwp_mainwp_stream_log_dataconnectors\class-connector-bbpress.php:166
filterwp_mainwp_stream_log_dataconnectors\class-connector-edd.php:220
actionload-theme-editor.phpconnectors\class-connector-editor.php:50
actionload-plugin-editor.phpconnectors\class-connector-editor.php:51
filterwp_redirectconnectors\class-connector-editor.php:52
filterupgrader_pre_installconnectors\class-connector-installer.php:119
filterwp_mainwp_stream_log_dataconnectors\class-connector-jetpack.php:182
actionregistered_post_typeconnectors\class-connector-posts.php:75
actionadmin_headconnectors\class-connector-settings.php:215
actionadmin_enqueue_scriptsconnectors\class-connector-settings.php:216
actionupdated_optionconnectors\class-connector-settings.php:630
actionregistered_taxonomyconnectors\class-connector-taxonomies.php:89
filterwp_mainwp_stream_log_dataconnectors\class-connector-user-switching.php:83
actioncustomize_save_afterconnectors\class-connector-widgets.php:144
filterwp_mainwp_stream_posts_exclude_post_typesconnectors\class-connector-woocommerce.php:72
actionwp_mainwp_stream_comments_exclude_comment_typesconnectors\class-connector-woocommerce.php:73
actionadmin_enqueue_scriptsconnectors\class-connector-wordpress-seo.php:198
filterwp_mainwp_stream_log_dataconnectors\class-connector-wordpress-seo.php:199
actionshutdownmainwp-child-reports.php:30

Scheduled Events 1

wp_mainwp_stream_auto_purge
Maintenance & Trust

MainWP Child Reports Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 15, 2026
PHP min version7.4
Downloads1.6M

Community Trust

Rating86/100
Number of ratings6
Active installs100K
Alternatives

MainWP Child Reports Alternatives

MainWP Key Maker

MainWP Key Maker

mainwp-key-maker

A
100

The MainWP Key Maker plugin copies settings for the MainWP Bulk Settings Manager Extension.

5K No CVEs
MainWP Post SMTP Extension – Easily Manage WP SMTP Setup for All Sites in One Place

MainWP Post SMTP Extension – Easily Manage WP SMTP Setup for All Sites in One Place

post-smtp-for-mainwp

A
100

Manage WP SMTP configuration from a single dashboard for all your sites. View email logs, get instant email failure alerts, and set up a backup SMTP c &hellip;

300 No CVEs
Update Brief for MainWP

Update Brief for MainWP

update-brief-mainwp

A
100

Turn WP and plugin updates into compelling client reports that clearly show your maintenance value through concise, professional update summaries.

0 No CVEs
WPvivid Backup for MainWP

WPvivid Backup for MainWP

wpvivid-backup-mainwp

A
98

Set up and control WPvivid Backup Free and Pro for all child sites directly from your MainWP Dashboard.

10K 3 CVEs
SEOPress for MainWP

SEOPress for MainWP

seopress-for-mainwp

A
98

SEOPress for MainWP extension, is an-addon for MainWP and SEOPress plugins. Edit your SEOPress global settings directly from MainWP dashboard site.

900 1 CVE
Developer Profile

MainWP Child Reports Developer Profile

mainwp

4 plugins · 825K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
1203 days
View full developer profile
Detection Fingerprints

How We Detect MainWP Child Reports

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mainwp-child-reports/css/mainwp-child-reports-admin.css/wp-content/plugins/mainwp-child-reports/js/mainwp-child-reports-admin.js
Script Paths
/wp-content/plugins/mainwp-child-reports/js/mainwp-child-reports-admin.js
Version Parameters
mainwp-child-reports/css/mainwp-child-reports-admin.css?ver=mainwp-child-reports/js/mainwp-child-reports-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp_mainwp_stream_screen
Data Attributes
data-page-slugdata-nonce
JS Globals
wp_mainwp_stream_filters_nonce
REST Endpoints
/wp-json/wp_mainwp_stream/v1/filters
FAQ

Frequently Asked Questions about MainWP Child Reports