CVE-2026-24944

Vulnerability

Description CVE-2026-24944 is a missing authorization vulnerability in the WordPress plugin Subscribe2, developed by weDevs. The flaw affects all versions from n/a through 10.44 and stems from an incorrectly configured access control security level within the plugin. This broken access control issue means that certain functions do not properly verify user permissions or nonce tokens, leading to a lack of authorization checks [1].

Exploitation

Conditions Attackers can exploit this vulnerability without authentication, as the missing authorization allows any unprivileged user (or even unauthenticated visitors) to execute higher-privileged actions. The attack surface is broad because the vulnerability is present in a widely used WordPress plugin, and it is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation grants an attacker the ability to perform actions that should be restricted to higher-privileged users, such as modifying plugin settings or accessing sensitive data. The CVSS v3 base score is 6.5 (Medium), reflecting the moderate severity but high likelihood of exploitation due to the ease of attack and potential for widespread automation [1].

Mitigation

The vulnerability is fixed in version 10.45 or later. Users are advised to update the plugin immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update can be applied. Auto-update can be enabled for vulnerable plugins via Patchstack [1].