Description
The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users
Published: 2026-05-05
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Subscribe To Comments Reloaded plugin for WordPress suffers from an improper authorization flaw due to a leaked secret key and a weak hash generation algorithm present in all releases up to 240119. This vulnerability allows an attacker who does not have authentication credentials to obtain the global key from a public post page. With that key, the attacker can forge authorization tokens and modify comment subscription preferences for any user. The impact is the unauthorized alteration of subscription settings, potentially causing unwanted notifications or denial of service to subscription functionality.

Affected Systems

WordPress sites using the wpkube:Subscribe To Comments Reloaded plugin with any version dated 240119 or earlier are affected. The plugin must be upgraded to a version released after 240119 to eliminate the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves unauthenticated access to publicly exposed post pages to extract the leaked key, after which an attacker can forge keys and manipulate subscription records. Because no authentication is required, any visitor can exploit the flaw if the plugin remains at a vulnerable version.

Generated by OpenCVE AI on May 5, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Subscribe To Comments Reloaded plugin to the latest version that removes the leaked secret key and replaces the weak hash algorithm.
  • If an immediate update is not possible, temporarily disable the subscription management feature or uninstall the plugin to prevent unauthorized subscription changes.
  • Verify that the secret key is not stored or displayed in public files and that any configuration files are secured.

Generated by OpenCVE AI on May 5, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpkube
Wpkube subscribe To Comments Reloaded
Vendors & Products Wordpress
Wordpress wordpress
Wpkube
Wpkube subscribe To Comments Reloaded

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users
Title Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpkube Subscribe To Comments Reloaded
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T02:26:55.996Z

Reserved: 2026-03-18T23:02:48.429Z

Link: CVE-2026-4409

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T03:15:59.420

Modified: 2026-05-05T03:15:59.420

Link: CVE-2026-4409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T03:30:14Z

Weaknesses