CVE-2026-24944 MEDIUM

CVE-2026-24944: WordPress Subscribe2 plugin <= 10.44 - Broken Access Control vulnerability

Vendor Wedevs

Product Subscribe2

Weakness CWE-862 · Missing authorization

Published February 20, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.

Explanation of Vulnerability in Simple Terms

02Summary

Subscribe2 versions up to 10.44 lack proper authorization checks, allowing unauthenticated attackers to read sensitive data through network requests. The vulnerability requires specific conditions to exploit but can expose confidential information. Update to version 10.45 or later to resolve the issue.

What an attacker can do

03Attacker Capabilities

Read sensitive data without authentication by sending specially crafted network requests.

Potential impact on your site

04Site Impact

Confidential information may be exposed to unauthenticated visitors; integrity of some data may be compromised.

Conditions required to exploit

05Prerequisites

Network access; no authentication or user interaction required, but exploitation requires specific conditions.

Key dates

06Disclosure timeline

February 20, 2026 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24944 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities