CVE-2024-12562

CRITICAL

S2member < 250214 - Insecure Deserialization

Title source: rule

Description

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

References (2)

[Release Notes] https://s2member.com/changelog/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/65192fdb-86db-475a-8c61-4db922920cfe?source=cve

Scores

CVSS v3 9.8

EPSS 0.0339

EPSS Percentile 87.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

s2member/s2member < 250214

Timeline

Published Feb 15, 2025

Tracked Since Feb 18, 2026