High severity7.6NVD Advisory· Published Dec 20, 2023· Updated Apr 28, 2026
CVE-2023-38519
CVE-2023-38519
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance.This issue affects MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance: from n/a through 4.4.3.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mainwp/mainwpPackagist | < 4.4.3.4 | 4.4.3.4 |
Affected products
1Patches
18df951c0e8b2Added `tag` parameter value validation on the Manage Clients page
5 files changed · +24 −7
class/class-mainwp-db-client.php+16 −2 modified@@ -656,6 +656,21 @@ public function get_wp_client_by( $by = 'client_id', $value = null, $obj = OBJEC $with_tags = isset( $params['with_tags'] ) && $params['with_tags'] ? true : false; $group_ids = isset( $params['by_tags'] ) ? $params['by_tags'] : ''; + // valid group ids. + if ( is_array( $group_ids ) ) { + $group_ids = array_filter( + $group_ids, + function( $e ) { + if ( 'nogroups' === $e ) { + return true; + } + return ( is_numeric( $e ) && 0 < $e ) ? true : false; + } + ); + } else { + $group_ids = ''; + } + $select_sites = ''; $select_tags = ''; $where_clients = ''; @@ -867,8 +882,7 @@ public function update_selected_sites_for_client( $client_id, $site_ids ) { $site_ids = array_filter( $site_ids, function( $e ) { - $e = intval( $e ); - return ( 0 < $e ) ? true : false; + return ( is_numeric( $e ) && 0 < $e ) ? true : false; } );
class/class-mainwp-db.php+2 −2 modified@@ -1076,7 +1076,7 @@ public function get_sql_search_websites_for_current_user( $params ) { $group_ids = array_filter( $group_ids, function( $e ) { - if ( 'nogroups' == $e ) { + if ( 'nogroups' === $e ) { return true; } $e = intval( $e ); @@ -1092,7 +1092,7 @@ function( $e ) { $client_ids = array_filter( $client_ids, function( $e ) { - if ( 'noclients' == $e ) { + if ( 'noclients' === $e ) { return true; } return is_numeric( $e ) && ! empty( $e ) ? true : false; // to valid client ids.
class/class-mainwp-system.php+1 −1 modified@@ -35,7 +35,7 @@ class MainWP_System { * * @var string Current plugin version. */ - public static $version = '4.4.3.3'; + public static $version = '4.4.3.4'; /** * Private static variable to hold the single instance of the class.
mainwp.php+1 −1 modified@@ -8,7 +8,7 @@ * Author URI: https://mainwp.com * Plugin URI: https://mainwp.com/ * Text Domain: mainwp - * Version: 4.4.3.3 + * Version: 4.4.3.4 * * @package MainWP/Dashboard *
readme.txt+4 −1 modified@@ -7,7 +7,7 @@ Plugin URI: https://mainwp.com Requires at least: 5.4 Tested up to: 6.2.2 Requires PHP: 7.4 -Stable tag: 4.4.3.3 +Stable tag: 4.4.3.4 License: GPLv3 or later License URI: https://www.gnu.org/licenses/gpl-3.0.html @@ -298,6 +298,9 @@ Yes, we have a quick FAQ with a lot more questions and answers [here](https://ma == Changelog == += 4.4.3.4 - 6-26-2023 = +* Security: Added `tag` parameter value validation on the Manage Clients page + = 4.4.3.3 - 6-19-2023 = * Added: Upcomming extension info data * Fixed: An issue with the negative search feature
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-87fg-9x5w-j3rmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38519ghsaADVISORY
- patchstack.com/database/vulnerability/mainwp/wordpress-mainwp-plugin-4-4-3-3-sql-injection-vulnerabilitynvdThird Party AdvisoryWEB
- github.com/mainwp/mainwp/commit/8df951c0e8b2c2646cc57fc66b00767551cac400ghsaWEB
News mentions
0No linked articles in our index yet.