ByteOS Network

Vulnerability Details :

CVE-2026-24944

Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3

Published At-20 Feb, 2026 | 15:47

Updated At-20 Feb, 2026 | 18:49

WordPress Subscribe2 plugin <= 10.44 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Patchstack

Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3

Published At:20 Feb, 2026 | 15:47

Updated At:20 Feb, 2026 | 18:49

▼CVE Numbering Authority (CNA)

WordPress Subscribe2 plugin <= 10.44 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.

Affected Products

Vendor

weDevs Pte. Ltd.

Product

Subscribe2

Collection URL

https://wordpress.org/plugins

Package Name

subscribe2

Default Status

unaffected

Versions

Affected

From n/a through <= 10.44 (custom)
- -> unaffectedfrom10.45

Problem Types

Type	CWE ID	Description
CWE	CWE-862	Missing Authorization

Type: CWE

CWE ID: CWE-862

Description: Missing Authorization

Impacts

CAPEC ID	Description
CAPEC-180	Exploiting Incorrectly Configured Access Control Security Levels

CAPEC ID: CAPEC-180

Description: Exploiting Incorrectly Configured Access Control Security Levels

Credits

finder

chokri hammedi | Patchstack Bug Bounty Program

References

Hyperlink	Resource
https://patchstack.com/database/Wordpress/Plugin/subscribe2/vulnerability/wordpress-subscribe2-plugin-10-44-broken-access-control-vulnerability?_s_id=cve	vdb-entry

Hyperlink: https://patchstack.com/database/Wordpress/Plugin/subscribe2/vulnerability/wordpress-subscribe2-plugin-10-44-broken-access-control-vulnerability?_s_id=cve

Resource:

vdb-entry

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics

Version	Base score	Base severity	Vector
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:audit@patchstack.com

Published At:20 Feb, 2026 | 16:22

Updated At:20 Feb, 2026 | 20:25

Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-862	Secondary	audit@patchstack.com

CWE ID: CWE-862

Type: Secondary

Source: audit@patchstack.com

References

Hyperlink	Source	Resource
https://patchstack.com/database/Wordpress/Plugin/subscribe2/vulnerability/wordpress-subscribe2-plugin-10-44-broken-access-control-vulnerability?_s_id=cve	audit@patchstack.com	N/A

Hyperlink: https://patchstack.com/database/Wordpress/Plugin/subscribe2/vulnerability/wordpress-subscribe2-plugin-10-44-broken-access-control-vulnerability?_s_id=cve

Source: audit@patchstack.com

Resource: N/A

Similar CVEs

11Records found

CVE-2024-34442

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-5.3||MEDIUM

EPSS-0.12% / 30.60%

7 Day CHG~0.00%

Published-11 Jun, 2024 | 13:34

Updated-02 Aug, 2024 | 02:51

WordPress weDocs plugin <= 2.1.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs weDocs.This issue affects weDocs: from n/a through 2.1.4.

Vendor-weDevs Pte. Ltd.

Product-weDocs wedocs

CWE ID-CWE-862

Missing Authorization

CVE-2024-34822

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-5.3||MEDIUM

EPSS-0.12% / 30.60%

7 Day CHG~0.00%

Published-11 Jun, 2024 | 15:26

Updated-07 Aug, 2024 | 14:19

WordPress weMail plugin <= 1.14.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs weMail.This issue affects weMail: from n/a through 1.14.2.

Vendor-weDevs Pte. Ltd.

Product-wemail weMail

CWE ID-CWE-862

Missing Authorization

CVE-2025-63008

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-5.3||MEDIUM

EPSS-0.04% / 12.72%

7 Day CHG~0.00%

Published-09 Dec, 2025 | 14:52

Updated-11 Feb, 2026 | 15:52

WordPress WP ERP plugin <= 1.16.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.16.7.

Vendor-weDevs Pte. Ltd.

Product-WP ERP

CWE ID-CWE-862

Missing Authorization

CVE-2025-30896

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-5.4||MEDIUM

EPSS-0.22% / 44.21%

7 Day CHG~0.00%

Published-27 Mar, 2025 | 10:55

Updated-27 Mar, 2025 | 19:39

WordPress WP ERP plugin <= 1.13.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP ERP: from n/a through 1.13.4.

Vendor-weDevs Pte. Ltd.

Product-WP ERP

CWE ID-CWE-862

Missing Authorization

CVE-2024-24711

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.14% / 34.00%

7 Day CHG~0.00%

Published-26 Mar, 2024 | 11:43

Updated-02 Aug, 2024 | 16:07

WordPress WooCommerce Conversion Tracking plugin <= 2.0.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WooCommerce Conversion Tracking.This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.11.

Vendor-weDevs Pte. Ltd.

Product-WooCommerce Conversion Tracking woocommerce_conversion_tracking

CWE ID-CWE-862

Missing Authorization

CVE-2023-52217

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.12% / 30.61%

7 Day CHG~0.00%

Published-11 Jun, 2024 | 09:26

Updated-02 Aug, 2024 | 22:55

WordPress WooCommerce Conversion Tracking plugin <= 2.0.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WooCommerce Conversion Tracking.This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.11.

Vendor-weDevs Pte. Ltd.

Product-woocommerce_conversion_tracking WooCommerce Conversion Tracking woocommerce_conversion_tracking

CWE ID-CWE-862

Missing Authorization

CVE-2023-45765

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.14% / 34.90%

7 Day CHG~0.00%

Published-02 Jan, 2025 | 11:59

Updated-31 Jan, 2025 | 16:50

WordPress WP ERP plugin <= 1.12.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through 1.12.6.

Vendor-weDevs Pte. Ltd.

Product-wp_erp WP ERP

CWE ID-CWE-862

Missing Authorization

CVE-2023-40003

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-6.5||MEDIUM

EPSS-0.42% / 61.69%

7 Day CHG~0.00%

Published-13 Dec, 2024 | 14:24

Updated-05 Feb, 2025 | 14:28

WordPress WP Project Manager plugin <= 2.6.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP Project Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Project Manager: from n/a through 2.6.7.

Vendor-weDevs Pte. Ltd.

Product-wp_project_manager WP Project Manager

CWE ID-CWE-862

Missing Authorization

CVE-2023-45002

Matching Score-6

Assigner-Patchstack

View Details

Matching Score-6

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.14% / 34.90%

7 Day CHG~0.00%

Published-02 Jan, 2025 | 11:59

Updated-06 Jan, 2025 | 20:30

WordPress WP User Frontend plugin <= 3.6.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through 3.6.8.

Vendor-weDevs Pte. Ltd.

Product-WP User Frontend

CWE ID-CWE-862

Missing Authorization

CVE-2025-60247

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-6.5||MEDIUM

EPSS-0.04% / 13.63%

7 Day CHG~0.00%

Published-06 Nov, 2025 | 15:55

Updated-20 Jan, 2026 | 15:17

WordPress Bux Woocommerce plugin <= 1.2.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bux Bux Woocommerce bux-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bux Woocommerce: from n/a through <= 1.2.3.

Vendor-Bux

Product-Bux Woocommerce

CWE ID-CWE-862

Missing Authorization

CVE-2023-28623

Matching Score-4

Assigner-GitHub, Inc.

View Details

Matching Score-4

Assigner-GitHub, Inc.

CVSS Score-6.5||MEDIUM

EPSS-0.06% / 19.93%

7 Day CHG~0.00%

Published-19 May, 2023 | 21:04

Updated-12 Feb, 2025 | 17:01

Unauthorized user can register an account in specific configurations in Zulip

Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue.

Vendor-Kandra Labs, Inc. (Zulip)

Product-zulip zulip

CWE ID-CWE-285

Improper Authorization

CWE ID-CWE-862

Missing Authorization

CVE-2026-24944

Credits

WordPress Subscribe2 plugin <= 10.44 - Broken Access Control vulnerability

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs