WP Engine has recently started sending out emails to all customers that are hosted on their platform who have the MainWP Child plugin installed, regardless of version at this time, with the following messaging:
Hello,
At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified resources that may be utilizing a vulnerable version of the mainwp-child plugin.
This vulnerability’s information has been verified by WPScan. Please note that questions related to this notification should be directed to WPScan, the plugin Author or the 3rd-party researcher for the most accurate information.
Resources providing further information on this vulnerability:
CVE - CVE-2024-10783
MainWP Child <= 5.2 – Authentication Bypass | CVE 2024-10783 | Plugin Vulnerabilities
MainWP Refuses to Patch Critical Flaw Leaving Sites Vulnerable to TakeoverThere does not appear to be a fix for this update at this moment and we recommend updating when one becomes available.
We always suggest making a backup before making any changes. You can learn how to do this in this article: https://wpengine.com/support/restore/.
Would you like to avoid doing these updates manually in the future? Add the Smart Plugin Manager: https://my.wpengine.com/products/smart_plugin_manager to your plan today!
Finally, feel free to reach out to our Support team if you need assistance with backing up or updating your website!
Thanks,
-WP Engine Security Team
Looking at the kernelmode article, the author outlines very clear reasons why MainWP should be taking action to fix this (by enforcing the use of the Unique Security ID instead of making it optional) but that the MainWP engineers have elected to argue against this change vs simply doing the work to have a rollout plan to notify the users of the MainWP management ecosystem on their servers to employ the mandatory user of Unique Security IDs moving forward.
I’m in the unfortunate position where my superiors aren’t convinced that MainWPs stance is “good enough” and I am also attempting to avoid having to use a competitor product to achieve the same functionality.
What does everyone else think?