WP-Safety

WP Subscribe Security & Risk Analysis

wordpress.org/plugins/wp-subscribe

WP Subscribe is a simple but powerful subscription plugin which supports MailChimp, Aweber and Feedburner.

8K active installs v1.2.16 PHP + WP 4.0+ Updated May 10, 2022
newslettersubscribesubscribe-widgetsubscriptionsubscription-box
61
C · Use Caution
CVEs total2
Unpatched1
Last CVEJan 26, 2026
Plugin page Download
Safety Verdict

Is WP Subscribe Safe to Use in 2026?

Use With Caution

Score 61/100

WP Subscribe has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Jan 26, 2026Updated 4yr ago
Risk Assessment

The "wp-subscribe" plugin exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization and output escaping, significant concerns arise from its attack surface and vulnerability history. The presence of four unprotected AJAX handlers represents a substantial risk, as these can be directly exploited by unauthenticated users to perform unintended actions. The single critical taint flow also highlights a potential for serious vulnerabilities, even if it's not directly tied to a specific CVE in the provided history.

The plugin's vulnerability history, with two known CVEs and one currently unpatched, points to a recurring pattern of security weaknesses. The common vulnerability types listed (Missing Authorization, Cross-site Scripting) align with the concerns identified in the static analysis. The fact that the last vulnerability was dated 2026-01-26 suggests a potential for ongoing or recently discovered issues, making the unpatched CVE particularly alarming. Overall, while strengths exist, the unpatched CVE and the large number of unprotected entry points necessitate immediate attention.

Key Concerns

  • Unprotected AJAX handlers (4)
  • Unpatched CVE (1)
  • Critical severity taint flow (1)
  • Missing capability checks on AJAX
  • Low output escaping coverage (1%)
Vulnerabilities
2 published

WP Subscribe Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-24522medium · 4.3Missing Authorization

Subscribe <= 1.2.16 - Missing Authorization

Jan 26, 2026Unpatched
CVE-2021-36844medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Subscribe <= 1.2.12 - Authenticated (Admin+) Stored Cross-Site Scripting

May 2, 2022 Patched in 1.2.13 (630d)
Version History

WP Subscribe Release Timeline

v1.2.16Current1 CVE
CVE-2026-24522
v1.2.151 CVE
CVE-2026-24522
v1.2.141 CVE
CVE-2026-24522
v1.2.131 CVE
CVE-2026-24522
v1.2.122 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.112 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.102 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.92 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.82 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.72 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.62 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.52 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.42 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.32 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.12 CVEs
CVE-2021-36844 CVE-2026-24522
v1.2.02 CVEs
CVE-2021-36844 CVE-2026-24522
Code Analysis
Analyzed Mar 16, 2026

WP Subscribe Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
166 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

99% escaped168 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
<wp-subscribe> (wp-subscribe.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

WP Subscribe Attack Surface

Entry Points5
Unprotected4

AJAX Handlers 5

authwp_ajax_wps_get_service_listwp-subscribe.php:107
authwp_ajax_validate_subscribewp-subscribe.php:108
noprivwp_ajax_validate_subscribewp-subscribe.php:109
authwp_ajax_connect_aweberwp-subscribe.php:110
authwp_ajax_mts_dismiss_wpsubscribe_noticewp-subscribe.php:114
WordPress Hooks 6
actionwp_enqueue_scriptsincludes\wps-widget.php:18
actionadmin_enqueue_scriptsincludes\wps-widget.php:19
actioncustomize_controls_enqueue_scriptsincludes\wps-widget.php:20
actionwidgets_initincludes\wps-widget.php:387
actioninitwp-subscribe.php:104
actionadmin_noticeswp-subscribe.php:113
Maintenance & Trust

WP Subscribe Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedMay 10, 2022
PHP min version
Downloads767K

Community Trust

Rating76/100
Number of ratings26
Active installs8K
Alternatives

WP Subscribe Alternatives

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

B
76

Add subscription forms on the website and send newsletters & automatically send post notification about new blog posts once it gets published.

60K 42 CVEs
Autoship Cloud for WooCommerce Subscription Products

Autoship Cloud for WooCommerce Subscription Products

autoship-cloud

A
99

Use one plugin to automate repeat orders, product subscriptions, and scheduled deliveries for your WooCommerce subscriptions products.

200 2 CVEs
SendSquared – Email Marketing, Lead Generation, Popup & Post Emailer

SendSquared – Email Marketing, Lead Generation, Popup & Post Emailer

adbase-ai-popup-growth

A
85

Enables you to install popups, email posts, install subscribe forms and lightweight analytics. The design and data focused email marketing platform.

10 No CVEs
Jamie’s WP Arrow Newsletter Subscriber

Jamie’s WP Arrow Newsletter Subscriber

jamies-wp-arrow-newsletter-subscriber

A
85

A Widget to add an Arrow newsletter subscription form .

10 No CVEs
WP Simple Subscriber

WP Simple Subscriber

wp-simple-subscriber

A
85

Allows you to collect subscribers via a simple form (in a shortcode) or your own custom form.

10 No CVEs
Developer Profile

WP Subscribe Developer Profile

MyThemeShop

7 plugins · 38K total installs

67
trust score
Avg Security Score
83/100
Avg Patch Time
472 days
View full developer profile
Detection Fingerprints

How We Detect WP Subscribe

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-subscribe/css/wps-main.css/wp-content/plugins/wp-subscribe/css/wps-responsive.css/wp-content/plugins/wp-subscribe/js/wps-validate.js/wp-content/plugins/wp-subscribe/js/wps-connect.js/wp-content/plugins/wp-subscribe/js/wps-shortcode.js/wp-content/plugins/wp-subscribe/js/wps-admin.js
Script Paths
/wp-content/plugins/wp-subscribe/js/wps-validate.js/wp-content/plugins/wp-subscribe/js/wps-connect.js/wp-content/plugins/wp-subscribe/js/wps-shortcode.js/wp-content/plugins/wp-subscribe/js/wps-admin.js
Version Parameters
wp-subscribe/css/wps-main.css?ver=wp-subscribe/css/wps-responsive.css?ver=wp-subscribe/js/wps-validate.js?ver=wp-subscribe/js/wps-connect.js?ver=wp-subscribe/js/wps-shortcode.js?ver=wp-subscribe/js/wps-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wps-subscribe-formwps-subscribe-successwps-subscribe-errorwp-subscribe-noticewpsubscribe-dismiss-notice
HTML Comments
<!-- WP Subscribe Widget --><!-- WP Subscribe Form --><!-- Shortcode WP Subscribe --><!-- Shortcode WP Subscribe Pro -->
Data Attributes
data-wps-email-labeldata-wps-name-labeldata-wps-submit-textdata-wps-servicedata-wps-api-keydata-wps-list-id+1 more
JS Globals
wps_ajax_objectwps_validation_messageswps_connect_object
REST Endpoints
/wp-json/wp-subscribe/v1/subscribe/wp-json/wp-subscribe/v1/connect
Shortcode Output
<form class="wps-subscribe-form" method="post"><div class="wps-subscribe-success"><div class="wps-subscribe-error">
FAQ

Frequently Asked Questions about WP Subscribe