s2Member < 250424 – Administrator+ Local File Inclusion | CVE 2025-32137 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affects Plugins

Fixed in 250424

References

CVE

URL

https://patchstack.com/database/wordpress/plugin/s2member/vulnerability/wordpress-s2member-plugin-250214-local-file-inclusion-vulnerability

Classification

Type

RFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Hakiduck

Verified

No

WPVDB ID

352933eb-3bee-4edd-b711-5eb94fcefd9e

Timeline

Publicly Published

2025-04-04 (about 1 year ago)

Added

2025-04-10 (about 1 year ago)

Last Updated

2025-04-24 (about 1 year ago)

Other

Published

Title

Published

2026-03-06

Title

VegaDays - Vegetarian Food Festival & Eco Event WordPress Theme <= 1.2.0 - Unauthenticated Local File Inclusion

Published

2026-02-26

Title

Nirvana <= 2.6 - Unauthenticated Local File Inclusion

Published

2025-05-21

Title

Blog Designer PRO for WordPress <= 3.4.7 - Unauthenticated Local File Inclusion

Published

2025-08-22

Title

Catamaran <= 1.15 - Unauthenticated Local File Inclusion

Published

2025-08-23

Title

HealthHub <= 1.3.0 - Unauthenticated Local File Inclusion