A vulnerability in the MainWP Child plugin for WordPress – identified by researchers with Sucuri and deemed a critical security risk – can be exploited by an attacker to take full control of a website.

“This vulnerability allows anyone to login as an administrator only by knowing the target user's handle (password bypass),” Mickael Nadeau, a security and vulnerability researcher with Sucuri, wrote in a Monday blog post. “It is very simple to exploit and a big deal as security tools like WPScan already automate the process of grabbing a list of usernames from WordPress sites.”

Sucuri notified the developers and the issue has been addressed in version 2.0.9.2. The plugin – which is used as a remote administration tool – has been installed more than 90,000 times, and all users are being urged to update.