WordPress Plugin Vulnerabilities

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions < 241216 - Authenticated (Contributor+) Sensitive Information Exposure

Description

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 241114 via the 'sc_get_details' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including user data and database configuration information, which can lead to reading, updating, or dropping database tables. The vulnerability was partially patched in version 241114.

Affects Plugins

Plugin icon
s2member
Fixed in 241216

References

CVE
CVE-2024-8326
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/410d4ab0-22dd-4993-afbf-ae6193b70977

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
8.8 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
d768570a-f77f-4654-9a4f-ee643516e636

Timeline

Publicly Published
2024-12-16 (about 1 year ago)
Added
2024-12-16 (about 1 year ago)
Last Updated
2024-12-17 (about 1 year ago)

Other

Published
Title
Published
2026-01-17
Title
Cargus < 1.5.9 - Unauthenticated Information Exposure
Published
2025-06-04
Title
elfsight Contact Form widget <= 2.3.1 - Unauthenticated Information Exposure
Published
2025-09-03
Title
Klarna Order Management for WooCommerce < 1.9.9 - Shop Manager+ Information Disclosure
Published
2025-02-04
Title
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto < 8.0.9 - Unauthenticated Sensitive Information Exposure
Published
2024-11-26
Title
ProfilePress < 4.15.19 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure