A critical security vulnerability has been discovered in the popular s2Member Pro plugin for WordPress, potentially affecting millions of websites. The vulnerability, tracked as CVE-2024-12562 and assigned a CVSS score of 9.8, could allow unauthenticated attackers to inject malicious PHP objects into vulnerable sites.
s2Member Pro is a powerful membership plugin used by website owners to sell subscriptions, restrict access to content, and manage digital downloads. With over 1.6 million downloads, the plugin’s widespread use makes this vulnerability a significant concern.
The vulnerability stems from the plugin’s failure to properly sanitize user input, specifically the s2member_pro_remote_op parameter. This allows attackers to exploit the PHP Object Injection vulnerability and potentially gain control of the website.
While the vulnerability itself does not directly provide attackers with a way to execute code, it can be chained with other vulnerabilities present in themes or plugins installed on the target website. This could lead to severe consequences, including arbitrary file deletion, sensitive data theft, and remote code execution.
The vulnerability was discovered and reported by István Márton at Wordfence, a leading WordPress security firm. The s2Member development team has since released a patch in version 250214, urging users to update their plugin to the latest version immediately.
Website owners using s2Member Pro are strongly advised to update their plugin as soon as possible to mitigate the risk of exploitation. Additionally, it is crucial to keep all themes and plugins updated and to regularly back up website data.
