PT-2026-36951 · WordPress · Subscribe To Comments Reloaded
Supakiad S
·
Published
2026-05-05
·
Updated
2026-05-21
·
CVE-2026-4409
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Subscribe To Comments Reloaded versions prior to 240120
Description
The Subscribe To Comments Reloaded plugin for WordPress allows unauthenticated attackers to modify data without authorization. This is caused by a leaked secret key and the use of a weak hash generation algorithm. Attackers can extract the global key from any public post page to forge authorization keys, enabling them to manage comment subscription preferences for arbitrary users.
Recommendations
Update the plugin to a version later than 240119.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Subscribe To Comments Reloaded