CVE-2026-4409
Deferred Deferred - Pending Action
Unauthenticated Comment Subscription Manipulation in Subscribe To Comments Reloaded

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4409
EUVD
EUVD-2026-27180
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
subscribe_to_comments_reloaded subscribe_to_comments_reloaded to 240119 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to extract a global secret key and manage comment subscription preferences for arbitrary users by forging authorization keys. This unauthorized modification of user data could potentially lead to violations of data protection principles required by standards like GDPR and HIPAA, which mandate strict controls over personal data access and modification.

However, the provided information does not explicitly state the impact on compliance with these regulations.

Executive Summary

The Subscribe To Comments Reloaded plugin for WordPress has a vulnerability caused by a leaked secret key and the use of a weak hash generation algorithm in all versions up to and including 240119.

This vulnerability allows unauthenticated attackers to extract the global key from any public post page, forge authorization keys, and manage comment subscription preferences for arbitrary users.

Impact Analysis

This vulnerability can impact you by allowing attackers who are not logged in to manipulate comment subscription preferences of any user.

Such unauthorized modification of data can lead to privacy violations, unwanted subscriptions, and potential misuse of user information.

Mitigation Strategies

To mitigate this vulnerability, you should update the Subscribe To Comments Reloaded plugin to a version later than 240119 where the issue is fixed.

Additionally, consider reviewing and resetting comment subscription preferences as unauthorized modifications may have occurred.

Monitor your WordPress site for any suspicious activity related to comment subscriptions and unauthorized data changes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4409. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart