MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

mainwp-child · by mainwp · wordpress.org ↗ · SVN ↗

Acquired by MainWP. New committers from that team's naming convention are expected and will not fire takeover events. source ↗

Active installs: 700k+
Current version: 6.0.11
Added: 2013-08-27
Last updated: 2026-05-05 (17d ago)
First seen by beacon: 1mo ago
Total downloads: 44,170,207

Historical audits (1)

Past investigations, all resolved. No current threat.

Benign Audit #11 baseline 5.1 → head 5.1.1 1mo ago

Alerts (0)

No open alerts.

Show 2 resolved alerts

High code_scan_match Resolved · code_scan_fp_class_genre_encoding 2026-05-05 11:21:29 (17d ago)

Slug mainwp-child

Finding count 47

Findings

Pattern	Kind	File	Line	Snippet	Confidence
`base64_decode`	`builtin`	`class/class-mainwp-child-ithemes-security.php`	422	$update_settings = isset( $_POST['settings'] ) ? json_decode( base64_decode( wp_unslash( $_POST['settings'] ) ), true ) : ''; // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions -- base64_e	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-ithemes-security.php`	671	$data = isset( $_POST['data'] ) ? json_decode( base64_decode( wp_unslash( $_POST['data'] ) ), true ) : array(); // phpcs:ignore WordPress.Security.NonceVerification,WordPress.Security.V	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-timecapsule.php`	1,655	$data = isset( $_POST['data'] ) ? json_decode( base64_decode( wp_unslash( $_POST['data'] ) ), true ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized,Wor	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-wordpress-seo.php`	112	$file_url = ! empty( $_POST['file_url'] ) ? sanitize_text_field( base64_decode( wp_unslash( $_POST['file_url'] ) ) ) : ''; // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions, Word	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-wordpress-seo.php`	136	$settings = ! empty( $_POST['settings'] ) ? base64_decode( wp_unslash( $_POST['settings'] ) ) : ''; // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions,WordPress.Security.ValidatedSa	`medium`
`wpconfig_write`	`builtin`	`class/class-mainwp-clone-install.php`	280	$wpConfig = file_get_contents( ABSPATH . 'wp-config.php' ); //phpcs:ignore WordPress.WP.AlternativeFunctions	`medium`
`wpconfig_write`	`builtin`	`class/class-mainwp-clone-install.php`	285	MainWP_Helper::file_put_contents( ABSPATH . 'wp-config.php', $wpConfig ); //phpcs:ignore WordPress.WP.AlternativeFunctions	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-users.php`	547	$new_password = isset( $_POST['new_password'] ) ? base64_decode( wp_unslash( $_POST['new_password'] ) ) : ''; //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, Word	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-users.php`	607	$new_user = isset( $_POST['new_user'] ) ? json_decode( base64_decode( wp_unslash( $_POST['new_user'] ) ), true ) : ''; //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotS	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-connect.php`	518	$auth = static::connect_verify( $func . $nonce, base64_decode( $signature ), base64_decode( get_option( 'mainwp_child_pubkey' ) ), $algo ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunc	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-keys-manager.php`	163	$encodedValue = base64_decode( $encodedValue ); //phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions -- safe.	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-keys-manager.php`	177	$encryptedValue = base64_decode( $encodedValue ); //phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions -- safe.	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-pagespeed.php`	276	$settings = isset( $_POST['settings'] ) ? json_decode( base64_decode( wp_unslash( $_POST['settings'] ) ), true ) : array(); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions,WordPress.Secu	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-wordfence.php`	1,551	$settings = isset( $_POST['settings'] ) ? json_decode( base64_decode( wp_unslash( $_POST['settings'] )), true ) : array(); // phpcs:ignore -- custom fix to pass through security rules of Dream	`medium`
`base64_decode`	`builtin`	`class/class-mainwp-child-wp-rocket.php`	937	$options = isset( $_POST['settings'] ) ? json_decode( base64_decode( wp_unslash( $_POST['settings'] ) ), true ) : ''; //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitiz	`medium`

Resolved sha 8d6aa3845211ae7d39a690c5ef44bbea01e5837a

View raw JSON

{
    "slug": "mainwp-child",
    "finding_count": 47,
    "findings": [
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-ithemes-security.php",
            "line": 422,
            "snippet": "$update_settings = isset( $_POST['settings'] ) ? json_decode( base64_decode( wp_unslash( $_POST['settings'] ) ), true ) : ''; // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions  -- base64_e",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-ithemes-security.php",
            "line": 671,
            "snippet": "$data        = isset( $_POST['data'] ) ? json_decode( base64_decode( wp_unslash( $_POST['data'] ) ), true ) : array(); // phpcs:ignore WordPress.Security.NonceVerification,WordPress.Security.V",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-timecapsule.php",
            "line": 1655,
            "snippet": "$data = isset( $_POST['data'] ) ? json_decode( base64_decode( wp_unslash( $_POST['data'] ) ), true ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized,Wor",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-wordpress-seo.php",
            "line": 112,
            "snippet": "$file_url       = ! empty( $_POST['file_url'] ) ? sanitize_text_field( base64_decode( wp_unslash( $_POST['file_url'] ) ) ) : ''; // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions, Word",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-wordpress-seo.php",
            "line": 136,
            "snippet": "$settings = ! empty( $_POST['settings'] ) ? base64_decode( wp_unslash( $_POST['settings'] ) ) : ''; // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions,WordPress.Security.ValidatedSa",
            "confidence": "medium"
        },
        {
            "pattern": "wpconfig_write",
            "kind": "builtin",
            "file": "class/class-mainwp-clone-install.php",
            "line": 280,
            "snippet": "$wpConfig = file_get_contents( ABSPATH . 'wp-config.php' ); //phpcs:ignore WordPress.WP.AlternativeFunctions",
            "confidence": "medium"
        },
        {
            "pattern": "wpconfig_write",
            "kind": "builtin",
            "file": "class/class-mainwp-clone-install.php",
            "line": 285,
            "snippet": "MainWP_Helper::file_put_contents( ABSPATH . 'wp-config.php', $wpConfig ); //phpcs:ignore WordPress.WP.AlternativeFunctions",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-users.php",
            "line": 547,
            "snippet": "$new_password = isset( $_POST['new_password'] ) ? base64_decode( wp_unslash( $_POST['new_password'] ) ) : '';  //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, Word",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-users.php",
            "line": 607,
            "snippet": "$new_user      = isset( $_POST['new_user'] ) ? json_decode( base64_decode( wp_unslash( $_POST['new_user'] ) ), true ) : '';  //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotS",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-connect.php",
            "line": 518,
            "snippet": "$auth = static::connect_verify( $func . $nonce, base64_decode( $signature ), base64_decode( get_option( 'mainwp_child_pubkey' ) ), $algo ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunc",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-keys-manager.php",
            "line": 163,
            "snippet": "$encodedValue = base64_decode( $encodedValue ); //phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions -- safe.",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-keys-manager.php",
            "line": 177,
            "snippet": "$encryptedValue = base64_decode( $encodedValue ); //phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions -- safe.",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-pagespeed.php",
            "line": 276,
            "snippet": "$settings = isset( $_POST['settings'] ) ? json_decode( base64_decode( wp_unslash( $_POST['settings'] ) ), true ) : array(); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions,WordPress.Secu",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-wordfence.php",
            "line": 1551,
            "snippet": "$settings = isset( $_POST['settings'] ) ? json_decode( base64_decode( wp_unslash( $_POST['settings'] )), true ) : array(); // phpcs:ignore -- custom fix to pass through security rules of Dream",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class/class-mainwp-child-wp-rocket.php",
            "line": 937,
            "snippet": "$options = isset( $_POST['settings'] ) ? json_decode( base64_decode( wp_unslash( $_POST['settings'] ) ), true ) : '';  //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitiz",
            "confidence": "medium"
        }
    ],
    "resolved_sha": "8d6aa3845211ae7d39a690c5ef44bbea01e5837a"
}

Critical new_committer_young_account Resolved · audit:benign 2026-04-22 02:50:47 (1mo ago)

Slug	mainwp-child
Committer	thanghoang
Display name	`thanghoang`
Member since	2024-06-27
First commit at	2024-07-09 16:51:02
Account age at first commit	12
Commit count	92
Active installs	700,000

View raw JSON

{
    "slug": "mainwp-child",
    "committer": "thanghoang",
    "display_name": "thanghoang",
    "member_since": "2024-06-27",
    "first_commit_at": "2024-07-09 16:51:02",
    "account_age_at_first_commit": 12,
    "commit_count": 92,
    "active_installs": 700000
}

SVN committers (2)

Accounts with actual commit access to mainwp-child on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
mainwp	2013-08-11	107	2014-08-29 · r975395	2024-06-18 · r3104071
thanghoang Young account	2024-06-27	2	2024-07-09 · r3115113	2026-05-05 · r3523583

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
mainwp	2013-08-11	107 commits	Active

Versions (100 most recent)

Version	Released	Download
6.0.11	2026-05-05 · 17d ago	zip
6.0.10	2026-04-28 · 24d ago	zip
6.0.9	2026-04-21 · 1mo ago	—
6.0.8	2026-04-14 · 1mo ago	zip
6.0.7	2026-04-07 · 1mo ago	zip
6.0.6	2026-03-31 · 1mo ago	zip
6.0.5	2026-03-24 · 1mo ago	zip
6.0.4	2026-03-20 · 2mo ago	zip
6.0.3	2026-03-17 · 2mo ago	zip
6.0.2	2026-03-10 · 2mo ago	zip
6.0.1	2026-03-03 · 2mo ago	zip
6.0	2026-02-25 · 2mo ago	zip
5.4.1	2025-12-10 · 5mo ago	zip
5.4.0.15	2025-12-03 · 5mo ago	zip
5.4.0.14	2025-08-26 · 8mo ago	zip
5.4.0.13	2025-08-19 · 9mo ago	zip
5.4.0.12	2025-08-12 · 9mo ago	zip
5.4.0.11	2025-07-15 · 10mo ago	zip
5.4.0.10	2025-06-03 · 11mo ago	zip
5.4.0.9	2025-05-27 · 12mo ago	zip
5.4.0.8	2025-05-20 · 1y ago	zip
5.4.0.7	2025-05-13 · 1y ago	zip
5.4.0.6	2025-04-22 · 1y ago	zip
5.4.0.5	2025-04-15 · 1y ago	zip
5.4.0.4	2025-04-03 · 1y ago	zip
5.4.0.3	2025-03-24 · 1y ago	zip
5.4.0.2	2025-03-12 · 1y ago	zip
5.4.0.1	2025-03-06 · 1y ago	zip
5.4	2025-03-05 · 1y ago	zip
5.3.5	2025-02-06 · 1y ago	zip
5.3.4	2025-01-27 · 1y ago	zip
5.3.3	2024-12-27 · 1y ago	zip
5.3.2	2024-12-26 · 1y ago	zip
5.3.1	2024-12-12 · 1y ago	zip
5.3	2024-12-03 · 1y ago	zip
5.2.1	2024-11-20 · 1y ago	zip
5.2	2024-11-15 · 1y ago	zip
5.1.1	2024-07-16 · 1y ago	zip
5.1	2024-06-18 · 1y ago	zip
5.0.1.1	2024-05-08 · 2y ago	zip
5.0.1	2024-04-18 · 2y ago	zip
5.0	2024-04-03 · 2y ago	zip
4.6	2024-01-03 · 2y ago	zip
4.5.3	2023-11-17 · 2y ago	zip
4.5.2	2023-10-20 · 2y ago	zip
4.5.1	2023-09-05 · 2y ago	zip
4.5	2023-08-29 · 2y ago	zip
4.4.1.3	2023-08-09 · 2y ago	zip
4.4.1.2	2023-06-08 · 2y ago	zip
4.4.1.1	2023-05-09 · 3y ago	zip
4.4.1	2023-04-18 · 3y ago	zip
4.4.0.4	2023-03-30 · 3y ago	zip
4.4.0.3	2023-03-30 · 3y ago	zip
4.4.0.2	2023-03-16 · 3y ago	zip
4.4.0.1	2023-03-09 · 3y ago	zip
4.4	2023-02-20 · 3y ago	zip
4.3.1	2022-12-14 · 3y ago	zip
4.3.0.1	2022-11-24 · 3y ago	zip
4.3	2022-11-16 · 3y ago	zip
4.2.6	2022-10-31 · 3y ago	zip
4.2.5	2022-08-25 · 3y ago	zip
4.2.4	2022-07-14 · 3y ago	zip
4.2.3	2022-05-16 · 4y ago	zip
4.2.2	2022-05-10 · 4y ago	zip
4.2.1	2022-04-14 · 4y ago	zip
4.2	2022-04-05 · 4y ago	zip
4.1.10	2022-02-16 · 4y ago	zip
4.1.9	2022-01-25 · 4y ago	zip
4.1.8	2021-10-21 · 4y ago	zip
4.1.7.1	2021-10-01 · 4y ago	zip
4.1.7	2021-07-26 · 4y ago	zip
4.1.6.1	2021-04-16 · 5y ago	zip
4.1.6	2021-04-15 · 5y ago	zip
4.1.5	2021-03-18 · 5y ago	zip
4.1.4	2021-03-10 · 5y ago	zip
4.1.3.1	2020-12-30 · 5y ago	zip
4.1.3	2020-12-03 · 5y ago	zip
4.1.2	2020-10-08 · 5y ago	zip
4.1.1	2020-10-07 · 5y ago	zip
4.1	2020-09-09 · 5y ago	zip
4.0.7.2	2020-08-25 · 5y ago	zip
4.0.7.1	2020-04-30 · 6y ago	zip
4.0.7	2020-04-21 · 6y ago	zip
4.0.6.2	2020-02-03 · 6y ago	zip
4.0.6.1	2020-01-20 · 6y ago	zip
4.0.6	2020-01-17 · 6y ago	zip
4.0.5.1	2019-12-13 · 6y ago	zip
4.0.5	2019-12-09 · 6y ago	zip
4.0.4	2019-11-11 · 6y ago	zip
4.0.3	2019-10-01 · 6y ago	zip
4.0.2	2019-09-06 · 6y ago	zip
4.0.1	2019-09-03 · 6y ago	zip
4.0	2019-08-28 · 6y ago	zip
3.5.7	2019-05-06 · 7y ago	zip
3.5.6	2019-03-25 · 7y ago	zip
3.5.5	2019-03-06 · 7y ago	zip
3.5.4.1	2019-02-19 · 7y ago	zip
3.5.4	2019-02-14 · 7y ago	zip
3.5.3	2018-12-19 · 7y ago	zip
3.5.2	2018-11-27 · 7y ago	zip