Headline
CVE-2022-29414: Subscribe To Comments Reloaded
Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube’s Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.
- Details
- Reviews
- Installation
- Support
- Development
Subscribe to Comments Reloaded is a robust plugin that enables commenters to sign up for e-mail notification of subsequent entries. The plugin includes a full-featured subscription manager that your commenters can use to unsubscribe to certain posts or suspend all notifications. It solves most of the issues that affect Mark Jaquith’s version, using the latest WordPress features and functionality. Plus, allows administrators to enable a double opt-in mechanism, requiring users to confirm their subscription clicking on a link they will receive via email or even One Click Unsubscribe.
Requirements
- WordPress 4.0 or higher
- PHP 5.6 or higher
- MySQL 5.x or higher
Main Features
- Easily manage and search among your subscriptions
- Imports Mark Jaquith’s Subscribe To Comments (and its clones) data
- Messages are fully customizable, no poEdit required (and you can use HTML!) with a Rich Text Editor – WYSIWYG
- Disable subscriptions for specific posts
- One Click Unsubscribe
- Get and Download your System information for better support.
Language Localization
If you would like to help out translating the plugin to your language you can do so through the official WordPress plugin translation system
- If you are using Subscribe To Comments by Mark Jaquith, disable it (no need to uninstall it, though)
- Upload the entire folder and all the subfolders to your WordPress plugins’ folder. You can also use the downloaded ZIP file to upload it.
- Activate it
- Customize the Permalink value under Settings > Subscribe to Comments > Management Page > Management URL. It must reflect your permalinks’ structure
- If you don’t see the checkbox to subscribe, you will have to manually edit your template, and add <?php global $wp_subscribe_reloaded; if (isset($wp_subscribe_reloaded)){ echo $wp_subscribe_reloaded->stcr->subscribe_reloaded_show(); } ?> somewhere in your comments.php
- If you’re upgrading from a previous version, please make sure to deactivate/activate StCR.
- You can always install the latest development version by taking a look at this Video
Are there any video tutorials?
Yeah, I have uploaded a few videos for the following topics:
- Issues Updating StCR via WordPress Update
- Issues with StCR links see StCR Clickable Links
- Issues with empty emails or management messages? see StCR Management Message
- Upgrading from the latest development version see Upgrading
Why my notifications are not in HTML format?
Don’t worry, just go to the Options tab an set to Yes the Enable HTML emails option.
How can I reset all the plugin options?
There is a new feature called Safely Uninstall that allow you to delete the plugin using the WordPress plugin interface. If you have the option set to Yes everything but the subscriptions created by the plugin will be wipeout. So after you made sure that you have this option to Yes you can deactivate the plugin and the delete it. Now you have to install the plugin via WordPress or Upload the plugin zip file and activate it, after this step all your settings will be as default and your subscriptions will remain.
There is a new feature added on the Options tab where you can reset all the settings by using only one click. You can either wipe out all the subscriptions or keep them.
What can I do if the **Safely Uninstall** does not have any value?
Just deactivate and activate the plugin and you are all set. The default value will be Yes.
Aaargh! Were did all my subscriptions go?
No panic. If you upgraded from 1.6 or earlier to 2.0+, you need to deactivate/activate StCR, in order to update the DB structure. After the version 180212 a fix was applied so that you can see all the subscriptions.
Can I customize the layout of the management page?
Yes, each HTML tag has a CSS class or ID that you can use to change its position or look-and-feel.
How do I disable subscriptions for a given post?
Add a custom field called stcr_disable_subscriptions to it, with value ‘yes’
How do I add the management page URL to my posts?
Use the shortcode [subscribe-url], or use the following code in your theme:
global $wp_subscribe_reloaded; if (isset($wp_subscribe_reloaded)){ echo ‘Subscribe“;
Can I move the subscription checkbox to another position?
Yes! Just disable the corresponding option under Settings > Comment Form and then add the following code where you want to display the checkbox:
stcr->subscribe_reloaded_show(); } ?>
What if after update to the version 141024 I still see plain HTML messages?
The information of your configuration needs to be updated. Go to the Subscribe to Comments Reloaded settings and click the Save Changes button on the tab
where you have you messages with HTML.
How to generate a new Key for my Site?
Just go to the Options Panel and click the generate button. By generating a new key you prevent the spam bots to steal your links.
People from my website, who made subscription for comments, said that in e-mail they get the IP of user, who left the comment. I`m going to find another plugin.
I have the v.210315 I translated it into Italian 100% with Loco translated, but I noticed that in the plugin there are still many entries in English.
Just installed this as an alternative to setting up a forum, which seemed too much like hard work! Love it so far, very easy to set up and I like the fact that every item has a “?” so you can find out what it means before setting it.
Believe me guys, I tried all the plugins out there available for comment subscription and this is the only plugin that is robust, reliable and with continuous support from the author for a very long time. And guess what it’s completely free. Thanks a lot for this wonderful plugin. All the best for your great success.
A fabulous plugin that helps people to stay engaged with the posts they appreciate much. Thank you!
If I had written design specs for a plugin and commissioned someone to write it, the result would not have been as good as this plugin is. Setting up this plugin it quickly becomes apparent that a lot of real-world experience has been incorporated into it over the years. The end result is, that it works like a dream and totally exceeds my expectations. Thanks so much!
Read all 156 reviews
“Subscribe To Comments Reloaded” is open source software. The following people have contributed to this plugin.
Contributors
- WPKube
v211130
- Fix Removed custom error handler (thanks to JakeQZ for bringing the issue to our attention)
- Fix Processing form submission in subscribe.php is now stopped in case “subscribe without commenting” is enabled
v211019
- Fix Issue with STCR output on non-virtual management page
v210315
- Fix Removed the “need help” added via “contextual_help” (deprecated)
- Fix PHP 8 deprecated notice
- Fix Fix issue with missing submit button when using “stcr_disable_subscription” custom field
- Tweak Bump up WP “tested up to” version to 5.7
v210126
- New Option to disable the “subscribe without commenting” and “request management link” pages. ( WP Admin > StCR > Management Page )
v210110
- Fix Limit subscription types on the management page when only a specific subscription is allowed
- Fix JS error on front-end
v210104
- New Google reCAPTCHA now available for the “subscribe without commenting” and “request management subscription” form (WP admin > StCR > Options)
- Improvement When using the checkbox (not the select box from advanced subscription) you can now select the subscription type (all or replies) (WP admin > StCR > Comment Form)
- Improvement [comment_author] can now be used in the Notification subject (WP admin > StCR > Notifications)
- Improvement Replaced final instances of jQuery code to be raw JavaScript (not rely on jQuery)
- Fix The form to “request management link” will now check if that email is a subscriber before sending a link
- Fix Issue with broken option tooltips on Notifications settings page
- Tweak Removed HTML comments around the plugin’s output on the frontend
v200813
- Fix Error when permanently deleting a post/page/… (related to WP 5.5 change in the “delete_post” hook coming with a 2nd parameter)
v200629
- New Option to show the subscription checkbox/select only for logged in users (option called “Enable only for logged in users” and located in WP admin > StCR > Options)
- New Added [comment_date] and [comment_time] shortcodes which can be used in the “notification message”.
- Improvement Challenge question/answer now shows on “request management link” page as well
- Improvement Replaced multiple instances of jQuery code to be raw JavaScript (not rely on jQuery)
- Tweak Added label for the checkbox in “Screen Options”
- Tweak Email input value fallback to “email” removed
- Fix Subscriptions will no longer duplicate when post is copied/duplicated with the “Duplicate Post” plugin
- Fix Fixed issue with PHP notice when $comment object does not have comment_approved set
- Fix The jQuery code that handles moving the position of the checkbox is now added later on in the code to avoid issue when jQuery gets loaded in the footer
v200422
- New Arabic translation, thanks to Yaser Maadan
- Fix WP_PLUGIN_URL replaced by plugins_url()
- Fix Issue with “generate new key” button for “StCR Unique Key” not working (WP Admin > StCR > Options)
- Fix Issue with ordering by date in the subscription management table (WP Admin > StCR > Manage subscriptions)
- Fix Issue with management page ( /comment-subscriptions/ ) being shown for child pages as well ( /comment-subscriptions/something-else/ )
- Fix Corrections in Hungarian translation
- Tweak Some other minor tweaks
v200205
- New Function for developers to add subscribers. Check the guide
- New Option to set a challenge (question + answer) for the “subscribe without commenting” form to prevent automatic bot submissions
- Fix It is now possible to send out plain text emails instead of HTML emails. Check the guide
- Fix It is now possible for visitors to subscribe to comments when the comments are only open for logged in users and the visitor is not logged in
- Fix Corrections in German translation
v191217
- Improvement Option to enable/disable the plugin from setting cookies (email address after subscription)
- Improvement German translation improvements (thanks to Greendroid)
v191209
- Improvement Logged in users no longer need to submit the “email” form on a subscription page in order to access their subscriptions
- Improvement Ability to filter/search the subscriptions table ( WP admin > StCR > Manage Subscriptions ) when there are more than 1000 subscriptions
v191028
- Fix Issue with “Default Checkbox Value” not being saved
- Fix Issue with /comment-subscriptions taking to 404 ( when it does not end with / )
- Tweak Error notification when [manager_link] used in “Management Page message”.
v191011
- Fix Revert changes to error logging due to PHP errors/warnings
v191009
- Fix Issue with post slug being displayed instead of the post title on unsubscribe
- Fix HTML validation error in subscribe template
- Fix Fix German translation “Nicht abonnieren”
- Fix Fix import data from Subscribe Reloaded by Mark Jaquith
- Fix Issue with using double quotes in options
- Tweak Show a message to the comment author to check his email to confirm subscription
- Tweak Performance improvement for error logging
v190529
- Fix Issue with being unable to dismiss admin notices shown by StCR
- Fix Virtual management page was still being shown even when disabled
v190523
- Fix Remove the old system information functionality
v190510
- New Option to only enable the functionality for blog posts ( option named “Enable only for blog posts” located in WP admin > StCR > StCR Options)
- Tweak Info on subscriber and subscriptions amount moved into separate table
- Fix Text domain
v190426
- New Info on the amount of subscribers and subscriptions added in WP admin > StCR > StCR System
- Fix Text domain (for translations) has been changed to the correct domain (from subscribe-reloaded to subscribe-to-comments-reloaded)
- Fix Issue with undefined is_rtl function
- Fix Missing blank space between sentences (below comment form when subscribed)
- Fix Undefined variable notices for $order_status and $order_dt
- Fix Temporarily hidden an unused option in StCR > Management Page to avoid confusion.
- Fix Removed localization for non textual strings
- Fix Fixed incorrectly localized textual strings
v190412
- Fix Issue with JavaScript code that is supposed to show the form when “StCR Position” is enabled
v190409
- Fix Post author was notified of new comments even if they are awaiting approval, no need for this since WordPress itself sends out an email in that case
- Fix Post author was notified twice ( if he was subscribed and “subscribe authors” was enabled )
- Fix Issue with “StCR Position” option ( for older/outdated themes ) not working properly
- Fix Issue with wrong translation in German
- Tweak The “Action” select box labels on “Manage Subscriptions” page tweaked to be more descriptive
v190325
- New Shortcode for manage page content (to be used on non-virtual management page). The shortcode is [stcr_management_page]
- Rewrite New method for downloading system information file
- Fix The admin panel CSS and JavaScript files now load only on StCR pages
- Fix Tooltips not showing up on System options page
- Fix Conflict with MailChimp for WP plugin (comment filter received echo instead of return which caused the issue)
- Fix Issue with select/deselect all on management page
- Tweak The MySQL requirements info on the system page now uses WordPress requirements
- Tweak The post author will no longer be notified of his/her own comments
v190305
- Fix Issue with “Subscribe authors” functionality sending the emails to administrator instead of the post author
v190214
- Fix String error calling the Curl Array.
- Fix wrong array definition that was breaking the site in some newer PHP versions.
- Fix error by calling $wp_locale that was not needed.
- Fix wrong label on option issue #467.
- Fix typo en help description issue #468.
v190117
- Fix missing checkbox when the option StCR Position was set to Yes.
- Fix styles on admin notices.
- Fix filenames to match the correct menu name.
- Fix # issue#431 and issue#444.
- Fix warning message that was notifying the server when the Management URL was empty. Now the field must have a value. Props @breezynetworks on WordPress Forum
- Fix value of management page to get it on the event insteadof page load.
- Add translation for Subs Table, Add PHP error logger.
- Add Plugin information on Cards.
- Add the Phing build script to automate the deployment and testings.
- Add WebUI Popover library to display the help messages in a clear way.
- Add dropdown menu on the options tab to include the System menu.
- Add option to download the system report.
- Add functionality to create the system report via Ajax.
- Add cron to clean house the system report file.
- Upgrade the Comment Form Panel 2 options.
- Upgrade the Management Page panel.
- Upgrade the Options Panel.
- Upgrade the Support Panel.
- Upgrade the StCR System Menu.
- Update font awesome refrences.
- Update Admin Menus with Bootstrap.
- Implement Pagination using plugins and fix responsive layout of management page.
- Implement SASS for the CSS files.
- Implement a cache array for the menu options.
- Remove unecessary components from Composer.
- Remove double inclusion of Font Awesome.
- Modify Bower, Gulp and Phing files to implement WebUI Popover.
- Refactor the options saving process.
- Refactor code to move the functional saving options to the Utils Class.
- Set the Double Verification option to yes.
- Create array of options for improve support.
- Sanitize input and out of data preventing XSS. Code modification and suggestion by @jnorell.
- Re Word option to avoid missleading to new users. Props @padraigobeirn.
- Move the plugin core files to the folder src in order to implement npm and bower task managers.
v180225
- Fix error when a user subscribe to a new post and the double opt-in was enable, preventing the double opt-in not sending the email message. Issue#350.
- Add email and post id validation on the StCR backened.
- Add email, search and post id validation on the frontend.
- Add backened validation for input data (email) on the subscribe and request management pages.
- Add debug messages to improve support.
- Add feature to change the date format output on the management page for both the User page and Author. See issue#345.
- Remove the inclusion of the plugin scripts with WP enqueue. This will load only the needed script on specific pages. Will remove request to the server to get scripts.
Related news
A misconfiguration of RSA in PingID Android app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.
A misconfiguration of RSA in PingID iOS app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.
NVIDIA Omniverse Nucleus and Cache contain a vulnerability in its configuration of OpenSSL, where an attacker with physical access to the system can cause arbitrary code execution which can impact confidentiality, integrity, and availability.
This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server.
Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory.
Small HTTP Server version 3.06 suffers from a remote buffer overflow vulnerability via long GET request.
USU Oracle Optimization before 5.17.5 lacks Polkit authentication, which allows smartcollector users to achieve root access via pkexec. NOTE: this is not an Oracle Corporation product.
A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. NOTE: this is not an Oracle Corporation product.
USU Oracle Optimization before 5.17.5 allows attackers to discover the quantum credentials via an agent-installer download. NOTE: this is not an Oracle Corporation product.