Unauthorized Data Modification in Subscribe To Comments Reloaded Plugin for WordPress
CVE-2026-4409

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Subscribe To Comments Reloaded
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-4409?

The Subscribe To Comments Reloaded plugin for WordPress presents a significant security risk due to its use of a weak hash generation algorithm and a leaked secret key. This vulnerability allows unauthenticated users to exploit the plugin and extract sensitive authentication keys from any public post. By doing so, attackers can manipulate comment subscription preferences for any user, leading to unauthorized changes in data. It is crucial for users of this plugin to be aware of these risks and to ensure they update to secure releases to protect their WordPress installations.

Affected Version(s)

Subscribe To Comments Reloaded 0 <= 240119

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/subscribe-to-c...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Supakiad S.

CVE-2026-4409 Data

JSON