A critical vulnerability (CVE-2024-12562) (CVSS 9.8) has been discovered in the popular WordPress plugin s2Member Pro. The bug allows attackers to inject malicious PHP objects without authentication, putting millions of websites at risk.
s2Member Pro is a popular plugin used for membership management, subscription sales, and content access control. It is a popular plugin used for membership management, subscription sales, and content access control. In total, this plugin has been downloaded more than 1.6 million times, making this vulnerability particularly dangerous. The problem lies in the incorrect processing of data transmitted through the s2member_pro_remote_op parameter. This creates the conditions for a PHP object injection attack and allows an attacker to launch a chain of attacks. Such actions can lead to file deletion, theft of sensitive data, and remote code execution. The vulnerability was discovered by Wordfence researcher Istvan Marton, a well-known developer of WordPress security solutions. The s2Member development team quickly responded by releasing update 250214, which fixes the bug.
Such vulnerabilities often lead to large-scale attacks on websites. For example, in 2024, attacks were reported via the PHP Everywhere plugin and the plugin was compromised as part of a supply chain attack. Website owners using s2Member Pro are advised to immediately update their plugins to version 250214.
91 
88 
89 