CVE-2026-4409

MEDIUM 6.5

Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users

CWE	CWE-200
Vendor	wpkube
Product	subscribe to comments reloaded
Published	May 5, 2026

Stay Ahead of the Next One

Get instant alerts for wpkube subscribe to comments reloaded

Be the first to know when new medium vulnerabilities affecting wpkube subscribe to comments reloaded are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

wpkube / Subscribe To Comments Reloaded

0 ≤ 240119

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/91f9235e-f578-475f-92c3-34062d6d1e3d?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/wp_subscribe_reloaded.php#L1613 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/utils/stcr_utils.php#L164 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/templates/user.php#L37

Credits

Supakiad S.