Vulnerabilities and security researches forsubscribe-to-comments subscribe-to-comments

Jul 21, 2025

CVE, Research URL: CVE-2015-10133
Home page URL: Security reports for Subscribe to Comments
Application: Subscribe to Comments
Date: Jul 19, 2025
Research Description: The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code.
Affected versions: Min -, max -.
Status: vulnerable

Oct 31, 2024

CVE, Research URL: CVE-2024-8792
Home page URL: Security reports for Subscribe to Comments
Application: Subscribe to Comments
Date: Oct 30, 2024
Research Description: The Subscribe to Comments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: f69cd55925560294fe3e43bb5ca85d72219309c8
Home page URL: Security reports for Subscribe to Comments
Application: Subscribe to Comments
Date: Nov 16, 2009
Research Description: Subscribe to Comments [subscribe-to-comments] < 2.3 (closed) WordPress Subscribe to Comments Plugin 2.0 - Multiple Cross-Site Scripting Vulnerabilities Subscribe to Comments plugin is prone to a cross-site scripting. Application fails to sufficiently clean up user-supplied data. The attacker-supplied could run HTML or JavaScript code in the context of the affected site. In that way the attacker can steal cookie-based authentication credits. There are other attacks also possible.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2006-10001
Home page URL: Security reports for Subscribe to Comments
Application: Subscribe to Comments
Date: Mar 06, 2023
Research Description: A vulnerability, which was classified as problematic, was found in Subscribe to Comments Plugin up to 2.0.7 on WordPress. This affects an unknown part of the file subscribe-to-comments.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.8 is able to address this issue. The identifier of the patch is 9683bdf462fcac2f32b33be98f0b96497fbd1bb6. It is recommended to upgrade the affected component. The identifier VDB-222321 was assigned to this vulnerability.
Affected versions: Min -, max -.
Status: vulnerable