Description
Cross-Site Request Forgery (CSRF) vulnerability in Convers Lab WPSubscription allows Cross Site Request Forgery.

This issue affects WPSubscription: from n/a through 1.9.1.
Published: 2026-05-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery (CSRF) in the Convers Lab WPSubscription plugin allows an attacker to trick an authenticated user into executing unwanted actions. The vulnerability originates from the plugin’s lack of proper request validation, which can lead to unauthorized changes or data manipulation within the WordPress site. The weakness is identified by CWE‑352 and can result in accidental or malicious modification of subscription data or administrative settings.

Affected Systems

WordPress sites that have the Convers Lab WPSubscription plugin installed prior to version 1.9.2 are affected. Versions from the first release up to and including 1.9.1 are vulnerable; the exact starting version is not specified in the report. Administrators should verify the plugin version and plan an update if the installed version is 1.9.1 or lower.

Risk and Exploitability

According to the calculations, the CVSS score for this flaw is 4.3, indicating moderate risk. The EPSS score is not provided, so the current probability of exploitation is unclear, and the issue is not listed in CISA’s KEV catalog. Attackers would likely exploit the flaw by sending a crafted request from a trusted user’s browser, making reliance on user login sessions and potentially spoofing request parameters. Because the vulnerability is a CSRF issue, the attack requires the victim to be authenticated and to visit a malicious page; no additional privileges or network access are necessary.

Generated by OpenCVE AI on May 25, 2026 at 23:25 UTC.

Remediation

Vendor Solution

Update the WordPress WPSubscription Plugin to the latest available version (at least 1.9.2).

OpenCVE Recommended Actions

  • Upgrade the WPSubscription plugin to version 1.9.2 or later to remove the CSRF flaw.
  • Verify that all form submissions in the plugin include a valid nonce or token to prevent CSRF attacks.
  • Restrict access to the plugin’s administrative interfaces to a limited set of trusted users and enable logging to detect abnormal usage.

Generated by OpenCVE AI on May 25, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Convers Lab
Convers Lab wpsubscription
Wordpress
Wordpress wordpress
Vendors & Products Convers Lab
Convers Lab wpsubscription
Wordpress
Wordpress wordpress

Mon, 25 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Convers Lab WPSubscription allows Cross Site Request Forgery. This issue affects WPSubscription: from n/a through 1.9.1.
Title WordPress WPSubscription plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Convers Lab Wpsubscription
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-26T10:52:17.516Z

Reserved: 2026-01-23T12:31:51.715Z

Link: CVE-2026-24554

cve-icon Vulnrichment

Updated: 2026-05-26T10:52:12.478Z

cve-icon NVD

Status : Received

Published: 2026-05-25T22:16:32.763

Modified: 2026-05-25T22:16:32.763

Link: CVE-2026-24554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T00:30:25Z

Weaknesses