PatchSiren cyber security CVE debrief
CVE-2026-24554 Convers Lab CVE debrief
A Cross-Site Request Forgery (CSRF) vulnerability exists in the WPSubscription plugin for WordPress, affecting versions up to and including 1.9.1. The vulnerability allows an attacker to perform unauthorized actions on behalf of an authenticated user by tricking them into submitting a malicious request. This is classified as CWE-352 (Cross-Site Request Forgery). The CVSS 3.1 score of 4.3 (Medium severity) reflects network attack vector, low attack complexity, no required privileges, but requires user interaction. The impact is limited to low integrity impact with no confidentiality or availability impact. The vulnerability was published to the CVE database on May 25, 2026, with a subsequent modification on May 26, 2026. The NVD entry currently shows a status of 'Deferred'. No known exploitation in the wild or ransomware campaign use has been documented. The vendor is identified as 'Convers Lab' based on reference domain analysis, though this attribution carries low confidence and requires review.
- Vendor
- Convers Lab
- Product
- WPSubscription
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using the WPSubscription plugin; security teams managing WordPress installations; developers maintaining WordPress plugins with subscription functionality
Technical summary
The WPSubscription plugin for WordPress contains a Cross-Site Request Forgery vulnerability due to insufficient validation of request origin. Affected versions through 1.9.1 fail to properly verify that state-changing requests originate from legitimate user actions. An attacker can craft a malicious web page that, when visited by an authenticated WordPress administrator, submits unauthorized requests to the WPSubscription plugin endpoints. The attack requires user interaction (clicking a link or visiting a page) but does not require authentication bypass or privilege escalation. Successful exploitation could result in unauthorized modification of subscription settings or data. The vulnerability is classified under CWE-352 with a CVSS 3.1 base score of 4.3 (Medium).
Defensive priority
medium
Recommended defensive actions
- Upgrade WPSubscription plugin to a version newer than 1.9.1 if available, or contact the vendor for patch information
- Implement CSRF protection tokens in custom code interacting with WPSubscription if maintaining a fork
- Review WordPress admin sessions for unauthorized subscription-related changes during the exposure window
- Consider implementing additional SameSite cookie policies and Content Security Policy headers as defense-in-depth measures
- Monitor for plugin updates through WordPress admin dashboard or vendor security advisories
Evidence notes
The vulnerability description and technical details are sourced from the NVD record and Patchstack reference. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms network-based attack with user interaction required. CWE-352 classification is explicitly provided in the source metadata. Vendor attribution to 'Convers Lab' is derived from reference domain candidate analysis with low confidence flag.
Official resources
-
CVE-2026-24554 CVE record
CVE.org
-
CVE-2026-24554 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-25T22:16:32.763Z