{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24522", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:31.582Z", "datePublished": "2026-01-23T14:28:48.570Z", "dateUpdated": "2026-04-28T16:14:48.774Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-subscribe", "product": "WP Subscribe", "vendor": "MyThemeShop", "versions": [{"lessThanOrEqual": "1.2.16", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:58.259Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Subscribe: from n/a through <= 1.2.16.</p>"}], "value": "Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Subscribe: from n/a through <= 1.2.16."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.774Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-subscribe/vulnerability/wordpress-wp-subscribe-plugin-1-2-16-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Subscribe plugin <= 1.2.16 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T16:45:04.384038Z", "id": "CVE-2026-24522", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:10:57.632Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24522", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:31.582Z", "datePublished": "2026-01-23T14:28:48.570Z", "dateUpdated": "2026-04-28T14:10:57.632Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-subscribe", "product": "WP Subscribe", "vendor": "MyThemeShop", "versions": [{"lessThanOrEqual": "1.2.16", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:58.259Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Subscribe: from n/a through <= 1.2.16.</p>"}], "value": "Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Subscribe: from n/a through <= 1.2.16."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:05.558Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-subscribe/vulnerability/wordpress-wp-subscribe-plugin-1-2-16-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Subscribe plugin <= 1.2.16 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24522", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T16:45:04.384038Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T16:44:55.583Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Subscribe: from n/a through <= 1.2.16."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en MyThemeShop WP Subscribe wp-subscribe permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Subscribe: desde n/a hasta &lt;= 1.2.16."}], "id": "CVE-2026-24522", "lastModified": "2026-04-28T15:16:09.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:07.900", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-subscribe/vulnerability/wordpress-wp-subscribe-plugin-1-2-16-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:34:49.793105+00:00", "value": {"mitigation_remediation": ["Update WP Subscribe to the latest version (\u22651.2.17) which implements proper authorization checks.", "If updating immediately is not possible, restrict which WordPress roles can access the plugin\u2019s administrative interface by removing the capability to edit plugin settings from non\u2011administrator roles.", "As an interim measure, temporarily disable the plugin or block access to its administration URLs until the fix is applied."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All installations of MyThemeShop WP Subscribe plugin version 1.2.16 or earlier are affected. If the version number is unknown, verify whether the plugin is 1.2.16 or lower; those versions are vulnerable.", "description_and_impact": "The WP Subscribe plugin contains a missing authorization flaw that permits attackers to bypass intended access controls and gain unauthorized actions within the plugin. The vulnerability stems from incorrectly configured security levels, allowing users without proper permissions to exploit plugin functionalities. This can lead to unauthorized configuration changes or exposure of data within the WordPress site.", "risk_and_exploitability": "The CVSS score of 4.3 denotes moderate severity, and the EPSS score is below 1%, indicating a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would identify the plugin on the website, then use the exposed access control weakness to perform unauthorized actions scoped to the WordPress site. It is not stated whether exploit code is publicly available, but the lack of proper authorization checks means that an authenticated user could elevate privileges within the plugin context."}}}}, "created": "2026-01-26T11:54:34.587597+00:00", "updated": "2026-04-16T07:45:06.014812+00:00", "vendors": ["mythemeshop", "mythemeshop$PRODUCT$wp_subscribe", "wordpress", "wordpress$PRODUCT$wordpress"]}