CVE-2024-10783: 
WordPress vulnerability analysis and mitigation

The MainWP Child WordPress plugin (versions up to 5.2) contains a privilege escalation vulnerability (CVE-2024-10783) that affects sites where the plugin is installed but not yet connected to the MainWP Dashboard. The vulnerability allows unauthenticated attackers to gain administrator access on affected installations when the unique security ID feature is disabled (NVD, WPScan).

The vulnerability stems from missing authorization checks in the register_site function, which can be exploited when a site is in an unconfigured state. The issue has a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD).

When successfully exploited, the vulnerability allows unauthenticated attackers to log in as an administrator without providing a password on WordPress installations where MainWP Child is not yet connected to the MainWP Dashboard and the unique security ID feature is disabled (WPScan).

The vulnerability has been patched in version 5.3 of the MainWP Child plugin. While version 5.2.1 contains a partial fix, version 5.3 is considered the complete patch. Sites that are already connected to the MainWP Dashboard plugin are not affected. Users are advised to upgrade to version 5.3 or later (NVD).