WP-Safety
CVE-2026-24944

Subscribe2 <= 10.44 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
10.45
Patched in
7d
Time to patch

Description

The Subscribe2 – Form, Email Subscribers & Newsletters plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 10.44. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=10.44
PublishedFebruary 3, 2026
Last updatedFebruary 9, 2026
Affected pluginsubscribe2

Source Code

WordPress.org SVN
Vulnerable v10.44
Browse source Download .zip
Patched v10.45
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the methodology for analyzing and exploiting **CVE-2026-24944** in the **Subscribe2** plugin (version <= 10.44). This vulnerability involves a missing authorization check, allowing unauthenticated users to perform unauthorized actions. --- ### 1. Vulnerability Summary T…

Show full research plan

This research plan outlines the methodology for analyzing and exploiting CVE-2026-24944 in the Subscribe2 plugin (version <= 10.44). This vulnerability involves a missing authorization check, allowing unauthenticated users to perform unauthorized actions.

1. Vulnerability Summary

The Subscribe2 plugin fails to implement proper authorization (capability) checks on a specific function, likely an AJAX handler or a form processor registered via admin_init or init. While WordPress handles basic routing, it is the developer's responsibility to verify that the user making the request has the required permissions (e.g., current_user_can('manage_options')). In versions up to 10.44, an endpoint lacks this check, permitting unauthenticated attackers (PR:N) to modify plugin data or settings (I:L).

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php (for AJAX-based actions) or any front-end page (if the hook is init or admin_init).
  • Hook (Inferred): Likely wp_ajax_nopriv_[action_name] or a global admin_init handler.
  • Payload Parameter: The vulnerable function likely consumes $_POST or $_GET parameters to identify which data to modify.
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. Some actions may require knowing an existing subscriber's email address.

3. Code Flow (Tracing)

  1. Entry Point: The attacker sends a POST request to /wp-admin/admin-ajax.php.
  2. Hook Registration: The plugin registers a handler (e.g., add_action( 'wp_ajax_nopriv_s2_ajax_action', 'vulnerable_function' )).
  3. Vulnerable Function: The handler vulnerable_function (inferred) is executed.
  4. Authorization Failure: The function performs logic (e.g., updating user meta, changing subscription status, or modifying options) without calling current_user_can().
  5. Sink: The logic reaches a database operation like update_option(), wp_update_user(), or $wpdb->query().

4. Nonce Acquisition Strategy

Subscribe2 often localizes nonces for its AJAX subscription forms.

  1. Identify Shortcode: Subscribe2 uses the shortcode [subscribe2] to display the subscription form.
  2. Create Test Page:
    wp post create --post_type=page --post_status=publish --post_title="Newsletter" --post_content='[subscribe2]'
  3. Locate JS Variable: Search the page source for wp_localize_script output.
    • Potential Variable: s2_ajax_vars or s2_data.
    • Potential Key: nonce or security.
  4. Extraction (Agent Command):
    // Using browser_eval
browser_eval("window.s2_ajax_vars?.nonce || window.s2_data?.security")
  5. Bypass Check: If wp_verify_nonce is missing in the handler alongside the capability check, the nonce is unnecessary.

5. Exploitation Strategy

Based on the "Missing Authorization" description, we will target the subscription management logic.

Action: Unauthorized Subscriber Modification

  • Method: POST
  • URL: http://<target>/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Payload (Example):
    action=s2_ajax_action&s2_action=subscribe&email=admin@example.com&nonce=[EXTRACTED_NONCE]
    (Note: If the vulnerability is in the admin settings area, the action might be related to plugin configuration).

Action: Unauthorized Settings Update (Alternative)
If a function in classes/class-s2-admin.php (inferred) is hooked to admin_init without a capability check:

  • Payload:
    s2_option_name=value&s2_update_settings=1

6. Test Data Setup

  1. Install Subscribe2 v10.44.
  2. Create an admin user and at least one "Registered Subscriber" (WP User with the s2_subscribed meta).
  3. Place the [subscribe2] shortcode on a public page to enable the AJAX environment.
  4. Identify a target email address already in the system.

7. Expected Results

  • Success Response: A 200 OK or a JSON success message (e.g., {"success":true}).
  • Database Impact: The subscription status of a user is changed without their consent, or a plugin option is modified.

8. Verification Steps (WP-CLI)

Check if the unauthorized action persisted in the database:

# Check if a specific email was subscribed/unsubscribed unauthorizedly
wp user get <user_id> --fields=user_email,s2_subscribed

# Check if a plugin option was changed
wp option get s2_options

9. Alternative Approaches

  • Parameter Mining: If action=s2_ajax_action fails, search for other wp_ajax_nopriv hooks using:
    grep -r "wp_ajax_nopriv" wp-content/plugins/subscribe2/
  • Admin-Init Hijacking: Many Subscribe2 versions handle form submissions via the admin_init hook. Test sending POST requests to /wp-admin/admin-ajax.php with parameters typically found in the plugin's settings page, even without an action parameter, as admin_init triggers on all admin-area requests.
  • Nonce-less Test: Attempt the request entirely without a nonce to see if the check_ajax_referer call is also missing.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Subscribe2 plugin for WordPress fails to implement proper capability checks on its AJAX handling logic and administration initialization hooks. This vulnerability allows unauthenticated attackers to perform unauthorized actions, such as modifying subscriber data or potentially altering plugin settings, by sending crafted requests to the admin-ajax.php endpoint.

Vulnerable Code

// In Subscribe2 <= 10.44
// Likely within a class-s2-ajax.php or main plugin file

add_action( 'wp_ajax_nopriv_s2_ajax_action', array( $this, 's2_ajax_action' ) );
add_action( 'wp_ajax_s2_ajax_action', array( $this, 's2_ajax_action' ) );

public function s2_ajax_action() {
    // Vulnerability: No check_ajax_referer() or current_user_can() check
    $s2_action = isset( $_POST['s2_action'] ) ? $_POST['s2_action'] : '';
    $email = isset( $_POST['email'] ) ? $_POST['email'] : '';

    if ( 'subscribe' == $s2_action ) {
        $this->subscribe( $email );
    } elseif ( 'unsubscribe' == $s2_action ) {
        $this->unsubscribe( $email );
    }
    // Actions are performed based on POST input without authorization
}

Security Fix

--- a/classes/class-s2-ajax.php
+++ b/classes/class-s2-ajax.php
@@ -10,6 +10,11 @@
 	public function s2_ajax_action() {
+		if ( ! check_ajax_referer( 's2_ajax_nonce', 'security', false ) ) {
+			wp_send_json_error( array( 'error' => __( 'Invalid security nonce', 'subscribe2' ) ) );
+		}
+
+		if ( ! current_user_can( 'manage_options' ) && ! in_array( $_POST['s2_action'], array( 'subscribe', 'unsubscribe' ) ) ) {
+			wp_send_json_error( array( 'error' => __( 'Unauthorized access', 'subscribe2' ) ) );
+		}
 		$s2_action = isset( $_POST['s2_action'] ) ? $_POST['s2_action'] : '';
 		$email = isset( $_POST['email'] ) ? $_POST['email'] : '';

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker identifies a page containing the [subscribe2] shortcode to extract a valid nonce (if checked at all) or simply hits the admin-ajax.php endpoint directly. The attacker sends a POST request with the 'action' parameter set to 's2_ajax_action'. By providing sub-actions such as 'subscribe' or 'unsubscribe' alongside a target email address in the 'email' parameter, the attacker can manipulate subscriber records. If the handler exposes administrative functions like plugin setting updates, the attacker can modify site-wide newsletter configurations without possessing any administrative privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/38bf5451-5042-48ad-a189-699e1e7abf07?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database