CVE-2026-4409: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in wpkube Subscribe To Comments Reloaded
The Subscribe To Comments Reloaded WordPress plugin contains a vulnerability allowing unauthorized actors to access and modify comment subscription preferences. This is due to a leaked secret key and the use of a weak hash generation algorithm in all versions up to 240119. Attackers can extract the global key from any public post page, forge authorization keys, and manage subscriptions for arbitrary users without authentication. The vulnerability is classified as CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS score is 6. 5, reflecting a medium severity level. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
CVE-2026-4409 affects the Subscribe To Comments Reloaded plugin for WordPress, where a leaked secret key combined with a weak hash generation algorithm enables unauthenticated attackers to extract the global key from public post pages. This allows them to forge authorization keys and manipulate comment subscription preferences for any user. The vulnerability is present in all versions up to and including 240119. It is categorized under CWE-200, indicating exposure of sensitive information. The CVSS 3.1 base score is 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network attack vector, low attack complexity, no privileges or user interaction required, with limited confidentiality and integrity impact and no availability impact. No patch or official fix has been published yet.
Potential Impact
An attacker can gain unauthorized access to sensitive information by extracting the global secret key from public post pages. This enables them to forge authorization keys and modify comment subscription preferences for arbitrary users without authentication. The impact includes limited confidentiality and integrity loss but no availability impact. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling the Subscribe To Comments Reloaded plugin or restricting access to public post pages if feasible. Monitor official wpkube communications for updates on patches or mitigations.
CVE-2026-4409: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in wpkube Subscribe To Comments Reloaded
Description
The Subscribe To Comments Reloaded WordPress plugin contains a vulnerability allowing unauthorized actors to access and modify comment subscription preferences. This is due to a leaked secret key and the use of a weak hash generation algorithm in all versions up to 240119. Attackers can extract the global key from any public post page, forge authorization keys, and manage subscriptions for arbitrary users without authentication. The vulnerability is classified as CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS score is 6. 5, reflecting a medium severity level. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4409 affects the Subscribe To Comments Reloaded plugin for WordPress, where a leaked secret key combined with a weak hash generation algorithm enables unauthenticated attackers to extract the global key from public post pages. This allows them to forge authorization keys and manipulate comment subscription preferences for any user. The vulnerability is present in all versions up to and including 240119. It is categorized under CWE-200, indicating exposure of sensitive information. The CVSS 3.1 base score is 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network attack vector, low attack complexity, no privileges or user interaction required, with limited confidentiality and integrity impact and no availability impact. No patch or official fix has been published yet.
Potential Impact
An attacker can gain unauthorized access to sensitive information by extracting the global secret key from public post pages. This enables them to forge authorization keys and modify comment subscription preferences for arbitrary users without authentication. The impact includes limited confidentiality and integrity loss but no availability impact. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling the Subscribe To Comments Reloaded plugin or restricting access to public post pages if feasible. Monitor official wpkube communications for updates on patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-18T23:02:48.429Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f95b2ccbff5d8610879567
Added to database: 5/5/2026, 2:51:24 AM
Last enriched: 5/5/2026, 3:07:26 AM
Last updated: 5/5/2026, 5:54:36 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.