CVE-2024-10783 is a critical authorization bypass vulnerability classified under CWE-862 affecting the MainWP Child plugin for WordPress, which is designed to securely connect multiple WordPress sites to a centralized MainWP Dashboard for management. The vulnerability exists because the register_site function lacks proper authorization checks when the plugin is in an unconfigured state, i.e., before the child site is connected to the MainWP Dashboard. This missing authorization allows unauthenticated attackers to escalate privileges by registering a site and effectively logging in as an administrator on the affected WordPress instance. The vulnerability impacts all versions up to and including 5.2. Sites that have already completed the connection to the MainWP Dashboard or have enabled the unique security ID feature are not vulnerable. The partial patch in version 5.2.1 does not fully resolve the issue, whereas version 5.3 contains the complete fix. The CVSS 3.1 base score of 8.1 reflects the network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No active exploitation has been reported, but the vulnerability poses a significant risk to unconfigured MainWP Child installations.

The vulnerability allows unauthenticated attackers to gain administrator-level access on WordPress sites running the vulnerable MainWP Child plugin in an unconfigured state. This can lead to full site compromise, including data theft, site defacement, malware injection, and pivoting to other network resources. Since MainWP is used to manage multiple WordPress sites centrally, a compromise of a single child site could potentially impact the broader managed environment if attackers leverage this foothold. The high CVSS score indicates severe impacts on confidentiality, integrity, and availability. Organizations relying on MainWP for multi-site management face increased risk, especially during initial setup phases before the child site is connected. The absence of known exploits in the wild suggests a window for proactive mitigation, but the ease of exploitation and high impact necessitate urgent attention.

Organizations should immediately verify if their WordPress sites use the MainWP Child plugin and determine if the plugin is in an unconfigured state. The primary mitigation is to upgrade all instances of MainWP Child to version 5.3, which contains the complete patch. Until upgrading, enabling the unique security ID feature provides protection against this vulnerability. Additionally, sites should complete the configuration process by connecting the child site to the MainWP Dashboard promptly to close the attack vector. Network-level protections such as web application firewalls (WAFs) can be configured to monitor and block suspicious requests targeting the register_site function. Administrators should audit logs for unauthorized access attempts and review user accounts for suspicious administrator creations. Restricting access to the WordPress admin area via IP whitelisting during initial setup phases can further reduce risk. Regular backups and incident response plans should be in place to recover from potential compromises.