Description
Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to subscription management capabilities within WordPress sites
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Missing Authorization flaw in the weDevs Subscribe2 WordPress plugin that enables exploitation of incorrectly configured access control security levels. An attacker can gain unauthorized access to subscription management functions, bypassing normal role restrictions, potentially modifying subscription settings, issuing emails, and accessing private subscriber data. The weakness is classified as CWE-862.

Affected Systems

The issue affects the weDevs Subscribe2 plugin, with all releases up to and including version 10.44 being vulnerable. Any WordPress installation running an affected version of this plugin is at risk; no specific operating system or WordPress major version is specified.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk level, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web request to the plugin’s administrative endpoints, and an attacker would need to circumvent the plugin’s access controls to perform unauthorized actions. Because no publicly reported exploit exists and the exploitation potential is low, the overall risk remains moderate but requires timely mitigation.

Generated by OpenCVE AI on April 16, 2026 at 06:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the weDevs Subscribe2 plugin to a version newer than 10.44, applying the vendor’s official security patch.
  • If an upgrade is not immediately available, disable or deactivate the Subscribe2 plugin to remove the vulnerability surface until a patch can be applied.
  • Review and tighten WordPress role permissions for subscription-related capabilities, ensuring that subscriber roles do not have administrative privileges that could be abused.

Generated by OpenCVE AI on April 16, 2026 at 06:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs subscribe2
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs subscribe2
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.
Title WordPress Subscribe2 plugin <= 10.44 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wedevs Subscribe2
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T17:44:25.298Z

Reserved: 2026-01-28T09:50:05.801Z

Link: CVE-2026-24944

cve-icon Vulnrichment

Updated: 2026-02-20T18:45:08.033Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:38.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses