CVE-2026-4409

Sažetak

The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users

Reference

https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/templates/user.php#L37
https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/utils/stcr_utils.php#L164
https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/wp_subscribe_reloaded.php#L1613
https://www.wordfence.com/threat-intel/vulnerabilities/id/91f9235e-f578-475f-92c3-34062d6d1e3d?source=cve

CVSS

Base:	6.5
Impact:	2.5
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Zadnje važnije ažuriranje

05-05-2026 - 19:09

Objavljeno

05-05-2026 - 03:15