CVE-2025-60148
Description
Missing Authorization vulnerability in wpshuffle Subscribe to Download subscribe-to-download allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe to Download: from n/a through <= 2.0.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Subscribe to Download plugin ≤2.0.9 has a missing authorization vulnerability allowing attackers to exploit access controls.
The Subscribe to Download plugin for WordPress versions up to and including 2.0.9 contains a missing authorization vulnerability. This flaw arises from incorrectly configured access control security levels, allowing unauthenticated or low-privileged users to execute actions that should require higher privileges [1].
Exploitation does not require authentication; an attacker can send crafted requests to the vulnerable plugin to bypass authorization checks. The attack surface is broad, as the plugin is widely used, and the vulnerability can be triggered without any special network position [1].
Successful exploitation could allow an attacker to access or modify protected features, such as downloading premium content or manipulating subscription settings, potentially leading to data exposure or unintended content access [1].
The vendor has released version 2.1.0 which addresses the issue. Users are strongly advised to update immediately. Auto-update can be enabled for vulnerable plugins via Patchstack [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.0.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.