WordPress Plugin Vulnerabilities

s2Member (Pro) < 241216 - Unauthenticated Remote Code Execution

Description

The plugin is vulnerable to Remote Code Execution. This makes it possible for unauthenticated attackers to execute code on the server.

Affects Plugins

Plugin icon
s2member
Fixed in 241216

References

CVE
CVE-2024-51815
URL
https://patchstack.com/database/wordpress/plugin/s2member/vulnerability/wordpress-s2member-excellent-for-all-kinds-of-memberships-content-restriction-paywalls-member-access-subscriptions-plugin-241114-remote-code-execution-rce-vulnerability

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Hakiduck
Verified
No
WPVDB ID
a103b1b3-14c2-4b68-8cde-d96135765d9a

Timeline

Publicly Published
2024-12-02 (about 1 year ago)
Added
2024-12-12 (about 1 year ago)
Last Updated
2024-12-17 (about 1 year ago)

Other

Published
Title
Published
2025-10-31
Title
Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution
Published
2025-09-03
Title
atec Debug < 1.2.23 - Authenticated (Administrator+) Remote Code Execution
Published
2014-08-01
Title
Wordpress <= 1.5.1.3 - Remote Code Execution
Published
2024-01-24
Title
File Manager Pro < 8.3.5 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2020-03-25
Title
Product Lister for Walmart <= 1.0.0 - Unauthenticated RCE via Outdated PHPUnit