{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24944", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:05.801Z", "datePublished": "2026-02-20T15:47:07.681Z", "dateUpdated": "2026-04-28T17:44:25.298Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "subscribe2", "product": "Subscribe2", "vendor": "weDevs", "versions": [{"changes": [{"at": "10.45", "status": "unaffected"}], "lessThanOrEqual": "10.44", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "chokri hammedi | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:55.656Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Subscribe2: from n/a through <= 10.44.</p>"}], "value": "Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.229Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/subscribe2/vulnerability/wordpress-subscribe2-plugin-10-44-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Subscribe2 plugin <= 10.44 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T18:48:31.989832Z", "id": "CVE-2026-24944", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:44:25.298Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24944", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T18:48:31.989832Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T18:45:08.033Z"}}], "cna": {"title": "WordPress Subscribe2 plugin <= 10.44 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "chokri hammedi | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "weDevs", "product": "Subscribe2", "versions": [{"status": "affected", "changes": [{"at": "10.45", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "10.44"}], "packageName": "subscribe2", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:55.656Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/subscribe2/vulnerability/wordpress-subscribe2-plugin-10-44-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Subscribe2: from n/a through <= 10.44.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.229Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24944", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:44:25.298Z", "dateReserved": "2026-01-28T09:50:05.801Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:47:07.681Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en weDevs Subscribe2 subscribe2 permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Subscribe2: desde n/a hasta &lt;= 10.44."}], "id": "CVE-2026-24944", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:38.883", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/subscribe2/vulnerability/wordpress-subscribe2-plugin-10-44-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.44]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Subscribe2", "source": "cna", "vendor": "weDevs"}, "product": "subscribe2", "vendor": "wedevs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:11:02.369362+00:00", "value": {"mitigation_remediation": ["Update the weDevs Subscribe2 plugin to a version newer than 10.44, applying the vendor\u2019s official security patch.", "If an upgrade is not immediately available, disable or deactivate the Subscribe2 plugin to remove the vulnerability surface until a patch can be applied.", "Review and tighten WordPress role permissions for subscription-related capabilities, ensuring that subscriber roles do not have administrative privileges that could be abused."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to subscription management capabilities within WordPress sites"}, "threat_synthesis": {"affected_systems": "The issue affects the weDevs Subscribe2 plugin, with all releases up to and including version 10.44 being vulnerable. Any WordPress installation running an affected version of this plugin is at risk; no specific operating system or WordPress major version is specified.", "description_and_impact": "The vulnerability is a Missing Authorization flaw in the weDevs Subscribe2 WordPress plugin that enables exploitation of incorrectly configured access control security levels. An attacker can gain unauthorized access to subscription management functions, bypassing normal role restrictions, potentially modifying subscription settings, issuing emails, and accessing private subscriber data. The weakness is classified as CWE-862.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate risk level, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web request to the plugin\u2019s administrative endpoints, and an attacker would need to circumvent the plugin\u2019s access controls to perform unauthorized actions. Because no publicly reported exploit exists and the exploitation potential is low, the overall risk remains moderate but requires timely mitigation."}}}}, "created": "2026-02-23T14:35:55.850273+00:00", "updated": "2026-04-16T06:15:26.916611+00:00", "vendors": ["wedevs", "wedevs$PRODUCT$subscribe2", "wordpress", "wordpress$PRODUCT$wordpress"]}