WP-Safety

Subscribe2 – Form, Email Subscribers & Newsletters Security & Risk Analysis

wordpress.org/plugins/subscribe2

Sends a list of subscribers an email notification when you publish new posts.

20K active installs v10.45 PHP 5.4+ WP 4.0+ Updated Dec 29, 2025
emailnotifypostssubscribesubscription
88
A · Safe
CVEs total8
Unpatched0
Last CVEFeb 3, 2026
Plugin page Download
Safety Verdict

Is Subscribe2 – Form, Email Subscribers & Newsletters Safe to Use in 2026?

Generally Safe

Score 88/100

Subscribe2 – Form, Email Subscribers & Newsletters has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Feb 3, 2026Updated 3mo ago
Risk Assessment

The Subscribe2 plugin version 10.45 presents a mixed security posture. While it demonstrates some good practices like a high percentage of prepared SQL statements and a reasonable number of capability checks, there are significant areas of concern.

The static analysis reveals a notable attack surface, with two out of three AJAX handlers lacking authentication checks. This is a critical oversight that could allow unauthorized actions. Furthermore, the taint analysis indicates two flows with unsanitized paths, classified as high severity. These issues, combined with the history of eight known CVEs, including three high-severity vulnerabilities related to missing authorization, CSRF, and XSS, suggest a plugin that has historically been a target and has had recurring security weaknesses.

Despite the absence of currently unpatched CVEs and a recent vulnerability date (though unusually in the future), the combination of unprotected entry points and high-severity taint flows points to a continued need for vigilance. While the plugin has strengths in its SQL handling and nonce checks, the identified weaknesses in authorization and input sanitization, coupled with its vulnerability history, warrant a cautious approach to its deployment.

Key Concerns

  • AJAX handlers without authentication checks
  • High severity unsanitized taint flows
  • History of high severity vulnerabilities
  • History of medium severity vulnerabilities
  • Large attack surface with unprotected entry points
Vulnerabilities
8

Subscribe2 – Form, Email Subscribers & Newsletters Security Vulnerabilities

CVEs by Year

2 CVEs in 2014
2014
2 CVEs in 2022
2022
2 CVEs in 2023
2023
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
3
Medium
5

8 total CVEs

CVE-2026-24944medium · 5.3Missing Authorization

Subscribe2 <= 10.44 - Missing Authorization

Feb 3, 2026 Patched in 10.45 (7d)
CVE-2024-11582high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Subscribe2 – Form, Email Subscribers & Newsletters <= 10.43 - Unauthenticated Stored Cross-Site Scripting via IP Parameter

Feb 18, 2025 Patched in 10.44 (1d)
CVE-2023-3407medium · 4.3Cross-Site Request Forgery (CSRF)

Subscribe2 <= 10.40 - Cross-Site Request Forgery

Jun 26, 2023 Patched in 10.41 (211d)
CVE-2023-1844medium · 4.3Missing Authorization

Subscribe2 <= 10.40 - Missing Authorization

Jun 26, 2023 Patched in 10.41 (211d)
CVE-2022-4309high · 7.1Cross-Site Request Forgery (CSRF)

Subscribe2 <= 10.37 - Cross-Site Request Forgery

Dec 22, 2022 Patched in 10.38 (397d)
WF-84003388-c47c-41db-8d2d-4643aa375a89-subscribe2medium · 4.3Missing Authorization

Appsero <= 1.2.1 - Missing Authorization

Dec 16, 2022 Patched in 10.38 (699d)
CVE-2014-6604medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Subscribe2 – Form, Email Subscribers & Newsletters <= 10.15 - Stored Cross-Site Scripting

Oct 1, 2014 Patched in 10.16 (3401d)
WF-10a54a3b-db6d-45c5-9280-7042ccc17ccd-subscribe2high · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Subscribe2 – Form, Email Subscribers & Newsletters < 8.1 - Multiple Cross-Site Scripting

Aug 1, 2014 Patched in 8.1 (3462d)
Code Analysis
Analyzed Mar 16, 2026

Subscribe2 – Form, Email Subscribers & Newsletters Code Analysis

Dangerous Functions
0
Raw SQL Queries
42
89 prepared
Unescaped Output
312
408 escaped
Nonce Checks
13
Capability Checks
20
File Operations
0
External Requests
4
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

68% prepared131 total queries

Output Escaping

57% escaped720 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths
<send-email> (admin\send-email.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Subscribe2 – Form, Email Subscribers & Newsletters Attack Surface

Entry Points7
Unprotected2

AJAX Handlers 3

noprivwp_ajax_subscribe2_formclasses\class-s2-ajax.php:16
noprivwp_ajax_subscribe2_submitclasses\class-s2-ajax.php:17
authwp_ajax_s2_dismiss_noticeclasses\class-s2-core.php:2354

REST API Routes 3

GET/wp-json/s2/v1/preview/(?P<id>[0-9]+)classes\class-s2-block-editor.php:49
GET/wp-json/s2/v1/resend/(?P<id>[0-9]+)classes\class-s2-block-editor.php:73
GET/wp-json/s2/v1/settings/(?P<setting>[a-z0-9_]+)classes\class-s2-block-editor.php:97

Shortcodes 1

[subscribe2] classes\class-s2-core.php:2416
WordPress Hooks 75
actionadmin_noticesclasses\class-mo-admin-notice.php:14
actionnetwork_admin_noticesclasses\class-mo-admin-notice.php:15
actionadmin_initclasses\class-mo-admin-notice.php:17
filterplugin_row_metaclasses\class-s2-admin.php:35
filtermce_external_pluginsclasses\class-s2-admin.php:394
filtermce_buttonsclasses\class-s2-admin.php:395
filters2_ajax_formclasses\class-s2-ajax.php:18
filtersafe_style_cssclasses\class-s2-ajax.php:19
actionwp_enqueue_scriptsclasses\class-s2-ajax.php:30
actioninitclasses\class-s2-block-editor.php:16
actionrest_api_initclasses\class-s2-block-editor.php:17
actionrest_api_initclasses\class-s2-block-editor.php:18
actionrest_api_initclasses\class-s2-block-editor.php:19
actionenqueue_block_editor_assetsclasses\class-s2-block-editor.php:22
actionenqueue_block_editor_assetsclasses\class-s2-block-editor.php:23
filterwp_mail_content_typeclasses\class-s2-core.php:217
filterwp_mail_content_typeclasses\class-s2-core.php:228
actioninitclasses\class-s2-core.php:2191
actioninitclasses\class-s2-core.php:2196
actionshutdownclasses\class-s2-core.php:2226
filtercron_schedulesclasses\class-s2-core.php:2230
actionwpmu_activate_userclasses\class-s2-core.php:2234
actionadd_user_to_blogclasses\class-s2-core.php:2235
actionremove_user_from_blogclasses\class-s2-core.php:2236
actionregister_formclasses\class-s2-core.php:2238
actionuser_registerclasses\class-s2-core.php:2239
actions2_digest_cronclasses\class-s2-core.php:2244
actiontransition_post_statusclasses\class-s2-core.php:2245
filterjetpack_get_available_modulesclasses\class-s2-core.php:2262
filtercomment_form_submit_fieldclasses\class-s2-core.php:2263
actioncomment_postclasses\class-s2-core.php:2264
actionwp_set_comment_statusclasses\class-s2-core.php:2265
actionwidgets_initclasses\class-s2-core.php:2270
actionwidgets_initclasses\class-s2-core.php:2275
actionwp_scheduled_deleteclasses\class-s2-core.php:2280
actionadmin_menuclasses\class-s2-core.php:2315
actionadd_meta_boxesclasses\class-s2-core.php:2316
actionsave_postclasses\class-s2-core.php:2317
actionsave_postclasses\class-s2-core.php:2318
actionsave_postclasses\class-s2-core.php:2319
actioncreate_categoryclasses\class-s2-core.php:2320
actiondelete_categoryclasses\class-s2-core.php:2321
filterozh_adminmenu_icon_s2classes\class-s2-core.php:2325
filterozh_adminmenu_icon_s2_postsclasses\class-s2-core.php:2326
filterozh_adminmenu_icon_s2_toolsclasses\class-s2-core.php:2327
filterozh_adminmenu_icon_s2_settingsclasses\class-s2-core.php:2328
actionadmin_initclasses\class-s2-core.php:2333
actionadmin_initclasses\class-s2-core.php:2338
actionshow_user_profileclasses\class-s2-core.php:2343
actionedit_user_profileclasses\class-s2-core.php:2344
actionpersonal_options_updateclasses\class-s2-core.php:2345
actionedit_user_profile_updateclasses\class-s2-core.php:2346
actions2_digest_previewclasses\class-s2-core.php:2350
actions2_digest_resendclasses\class-s2-core.php:2351
filterset-screen-optionclasses\class-s2-core.php:2357
actionwpclasses\class-s2-core.php:2392
filterrequestclasses\class-s2-core.php:2396
filterthe_titleclasses\class-s2-core.php:2397
filterthe_contentclasses\class-s2-core.php:2398
filterthe_contentclasses\class-s2-core.php:2402
actionwp_metaclasses\class-s2-core.php:2406
actionwp_enqueue_scriptsclasses\class-s2-core.php:2411
actionwp_footerclasses\class-s2-core.php:2412
actions2_subscription_submitclasses\class-s2-forms.php:21
actions2_subscription_formclasses\class-s2-forms.php:22
actionswitch_themeinclude\appsero\src\Insights.php:140
actionswitch_themeinclude\appsero\src\Insights.php:141
actionadmin_footerinclude\appsero\src\Insights.php:158
actionadmin_noticesinclude\appsero\src\Insights.php:175
actionadmin_initinclude\appsero\src\Insights.php:178
filtercron_schedulesinclude\appsero\src\Insights.php:184
actionadmin_menuinclude\appsero\src\License.php:219
actionafter_switch_themeinclude\appsero\src\License.php:787
actionswitch_themeinclude\appsero\src\License.php:788
actionplugins_loadedsubscribe2.php:82

Scheduled Events 1

s2_digest_cron
Maintenance & Trust

Subscribe2 – Form, Email Subscribers & Newsletters Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 29, 2025
PHP min version5.4
Downloads2.5M

Community Trust

Rating70/100
Number of ratings115
Active installs20K
Alternatives

Subscribe2 – Form, Email Subscribers & Newsletters Alternatives

Subscribr

Subscribr

subscribr

A
85

Allows WordPress users to subscribe to notifications for new posts, pages, and custom types, filterable by taxonomies.

20 No CVEs
Subscribe To Comments Checkbox

Subscribe To Comments Checkbox

comments-subscribe-checkbox

A
100

This plugin will allow you to add subscribe notification checkbox to comments on your site.

100 No CVEs
New Post Notification

New Post Notification

new-post-notification

A
85

Simply notifies users if a new post has been published. This can also be used as an addon for User-Access-Manager. Users will only be notified if they &hellip;

100 No CVEs
Easy Email Subscription

Easy Email Subscription

email-subscription-with-secure-captcha

A
95

Easy Email Subscription form with secured captcha.

30 3 CVEs
SendSquared – Email Marketing, Lead Generation, Popup & Post Emailer

SendSquared – Email Marketing, Lead Generation, Popup & Post Emailer

adbase-ai-popup-growth

A
85

Enables you to install popups, email posts, install subscribe forms and lightweight analytics. The design and data focused email marketing platform.

10 No CVEs
Developer Profile

Subscribe2 – Form, Email Subscribers & Newsletters Developer Profile

weDevs

20 plugins · 113K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
366 days
View full developer profile
Detection Fingerprints

How We Detect Subscribe2 – Form, Email Subscribers & Newsletters

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/subscribe2/css/admin-style.css/wp-content/plugins/subscribe2/css/user-style.css/wp-content/plugins/subscribe2/js/admin-scripts.js/wp-content/plugins/subscribe2/js/user-scripts.js/wp-content/plugins/subscribe2/js/dismiss.js
Script Paths
/wp-content/plugins/subscribe2/js/admin-scripts.js/wp-content/plugins/subscribe2/js/user-scripts.js/wp-content/plugins/subscribe2/js/dismiss.js
Version Parameters
subscribe2/css/admin-style.css?ver=subscribe2/css/user-style.css?ver=subscribe2/js/admin-scripts.js?ver=subscribe2/js/user-scripts.js?ver=subscribe2/js/dismiss.js?ver=

HTML / DOM Fingerprints

CSS Classes
subscribe2
Data Attributes
id="s2_email_freq"id="s2_body"id="s2_subject"id="s2_signature"id="s2_send_button"
JS Globals
mysubscribe2s2_confirm_nonce
FAQ

Frequently Asked Questions about Subscribe2 – Form, Email Subscribers & Newsletters