WordPress Plugin Vulnerabilities

s2Member < 251005 - Unauthenticated Remote Code Execution

Description

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 250905. This makes it possible for unauthenticated attackers to execute code on the server.

Affects Plugins

Plugin icon
s2member
Fixed in 251005

References

CVE
CVE-2025-62023
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/98ca009b-0e15-4945-a5c3-b08c081e7577

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Drew Webber (mcdruid)
Verified
No
WPVDB ID
eb3f2913-a803-47a2-a078-33a63096d7a6

Timeline

Publicly Published
2025-10-01 (about 7 months ago)
Added
2025-10-29 (about 6 months ago)
Last Updated
2025-10-29 (about 6 months ago)

Other

Published
Title
Published
2025-01-21
Title
GamiPress < 7.2.2 - Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function
Published
2025-08-25
Title
bidorbuy Store Integrator <= 2.12.0 - Authenticated (Admin+) Remote Code Execution
Published
2026-03-02
Title
Widget Options <= 4.1.3 - Contributor+ Remote Code Execution
Published
2025-01-30
Title
AI Infographic Maker < 5.0.0 - Unauthenticated Arbitrary Shortcode Execution
Published
2017-01-11
Title
WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer