Skip to main content

WPSubscription CVE-2026-24554

| EUVDEUVD-2026-31755 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-25 Patchstack GHSA-gfpm-cpmq-9ff5
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:50 vuln.today

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Convers Lab WPSubscription allows Cross Site Request Forgery.

This issue affects WPSubscription: from n/a through 1.9.1.

AnalysisAI

Cross-Site Request Forgery in the WPSubscription WordPress plugin (Convers Lab, versions through 1.9.1) enables remote unauthenticated attackers to perform unauthorized state-changing actions by tricking an authenticated WordPress user into visiting a malicious page or clicking a crafted link. The CVSS 4.3 Medium rating reflects limited integrity impact (I:L) with no confidentiality or availability exposure. No public exploit code exists and no active exploitation is confirmed - EPSS at 0.01% (3rd percentile) and SSVC 'Exploitation: none' both corroborate the low real-world threat level at time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), meaning the plugin fails to validate the origin of state-changing HTTP requests - typically by omitting or not properly verifying WordPress nonces on sensitive admin endpoints. The affected product is identified via CPE cpe:2.3:a:convers_lab:wpsubscription:*:*:*:*:*:*:*:* as a WordPress plugin developed by Convers Lab that provides subscription management functionality. CSRF in WordPress plugins commonly arises when form handlers or AJAX endpoints registered via admin-post.php or wp-ajax lack nonce verification, allowing a browser to silently replay attacker-crafted requests using the victim's authenticated session cookies.

RemediationAI

The primary remediation is to update the WPSubscription plugin beyond version 1.9.1; however, no specific patched release version is confirmed in the available data - the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/subscription/vulnerability/wordpress-wpsubscription-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability) should be consulted directly to confirm whether a fixed version has been released to the WordPress plugin repository. As a compensating control if patching is not immediately possible, administrators can restrict access to WordPress admin pages at the web server or firewall level to trusted IP ranges, reducing the attack surface for CSRF-based forged requests. Additionally, WordPress security plugins that implement blanket nonce enforcement or WAF rules blocking cross-origin POST requests to wp-admin can mitigate exploitation - note that overly broad WAF rules may break legitimate admin workflows and should be tested before deployment.

Share

CVE-2026-24554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy