Subscribe2 plugin <= 10.42 – Broken Access Control vulnerability

Solid Security (former iThemes Security) reports the same

WordPress Subscribe2 plugin <= 10.42 – Broken Access Control vulnerability

Do you have a plan for fixing it?

Also have a look here:

https://www.wordfence.com/threat-intel/vulnerabilities/detail/appsero-200-missing-authorization-via-handle-optin-optout

Wordfence states:

The Appsero analytics tool used in several plugins is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout function in versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to opt-in or opt-out of tracking. This was patched in version 2.0.1 of Appsero with a nonce check.

Wordfence also states that, as of now, WordPress Plugin Subscribe2 (versions <= 10.42) is the only one of thirteen listed plugins using Appsero that has not been patched yet.

Since Appsero has been patched, fixing Subscribe2 shouldn’t be difficult, I guess.

Thanks!

I have just learned about this problem from a WordFence alert from my site and wanted export the emails to CSV which produced a file with column headings and no data. I wanted to keep a list and deactivate the plugin. I ended up exporting the e-mail list from the database. Please expedite the much anticipated fix.

Could we get some information on the status of any work that is being done right now in order to solve this issue? Thanks!

I deactivated the plugin, but do need something like it…

I think it is time to give up on Subscribe2. I have been trying Noptin plugin and it seems promising. I will likely switch to that.

Is this plugin dead?

It has served me well for many years, so I am reluctant to replace it if someone is working on a fix.

Hi there,

We apologize for the inconvenience you’re experiencing. It’s possible that the email issue is related to recent changes in the settings. Please double-check your email configuration and spam/junk folders.

We’re excited to let you know that we will be releasing a revamped version of Subscribe2 soon, which will address many existing issues. We appreciate your patience and understanding.

Thanks

Good morning! I have already switched to another plugin.

@acekin which one?

I would recommend Icegram Express. They also provide very good support. The plugin works very well. I was able to export my Subscribe2 database table from cPanel using phpMyAdmin, as Subscribe2 export did not work. I imported the e-mail list with no problem to Icegram.

SolidWP is still reporting that this problem still hasn’t been fixed. Can you advise when this will be fixed please.

https://solidwp.com/blog/wordpress-vulnerability-report-april-17-2024/#h-subscribe2-form-email-subscribers-newsletters

@creativepassion have a look at the links above and you can see that the reported vulnerability was patched in version 10.43, according to those sites. I, therefore, reactivated the plugin on my site.