What the vulnerability does
01Description
Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Subscribe: from n/a through <= 1.2.16.
Explanation of Vulnerability in Simple Terms
02Summary
WP Subscribe versions 1.2.16 and earlier contain an authorization bypass that allows authenticated users to modify data they should not have access to. The vulnerability requires a valid WordPress account but no special privileges. An attacker with low-level access can alter subscription settings or related information without proper permission checks.
What an attacker can do
03Attacker Capabilities
Modify subscription data or settings belonging to other users or the site.
Potential impact on your site
04Site Impact
Unauthorized changes to subscription configurations, potentially affecting email lists or user data integrity.
Conditions required to exploit
05Prerequisites
Valid WordPress user account with low-level privileges; network access to the site.
Key dates
06Disclosure timeline
January 23, 2026
CVE published
April 28, 2026
Record updated