All Versions Critical Vulnerability

I agree with you.

If we only allow users read permissions and comments in plain text, even if they typed php code it should not be executed and be treated by wordpress as a plain text representation like when we post examples in forums, etc.

Even if they upload files (if they’re authors or if you allow them to upload images when commenting etc) I assume it’s up to Wordpress’s core (and major security plugins) to protect against such bad executions?

I will eventually try to understand the situation better but it will take me a while because I am a bit overwhelmed with personal matters

I’ll do the best I can, meanwhile, to be here on and off. Removing bad posts and trying to help when I see something familiar enough for me to try to clarify. I appreciate that we have a nice and patient community here.

I hope @clavaque comes around soon as well.

Meanwhile, enjoy the first spring weekend, if you’re in the Northern Hemisphere.

Hi @clavaque, could you please comment on this vulnerability announcement:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/s2member-pro/s2member-pro-241216-unauthenticated-php-object-injection

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the ‘s2member_pro_remote_op’ vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

The fix is to upgrade to v250214.

But I don’t see any mention of this critical security vulnerability in the changelog: https://s2member.com/changelog

Can you comment on how to check whether a site running s2member might also have a “POP chain” in another plugin or theme, as described in that notice?

Thank you!

I have the same error on my wordpress site too. This is being flagged as a MAJOR vulnerability and there’s no update showing. I’m running Version 250214 + s2Member Pro v220421

@clavaque Is this a known issue that will be handled? I’d prefer to not disable the plugin but I also don’t want to run my site with a major security flaw present.

Well the problem is that 250214 has serious IPN issues and is unusable for many setups.
Maybe it’s the fix that messes up s2member or another change, but 250214 is not release worthy

The only change I was able to find related to this - is the following:

• in [pro\s2member-pro\includes\classes\remote-ops.inc.php at line #135]

if (is_array($serialized_op = maybe_unserialize($op))) {

to

if (is_serialized($op) && is_array($serialized_op = @unserialize(trim($op), [‘allowed_classes’ => false]))) {

Not sure if there are more changes. I will use that change and look if it causes me any problems. I hope not - I hope this is not related to the IPN redirection messup.

— However I think there were actually two vulnerabilities present - because the changelog is as follows - so there is another one discovered by Istvan Marton from wordfence - :

• (Pro) Enhancement : Improved data handling in the Remote Operations API. Props to István.
• (Pro) Enhancement : Improved validation of the template attribute in pro-forms and s2Member-List shortcodes. Props to István.

I may try if I can just use s2member-pro 250214 by changing it’s version number to the older one.

Edit: it’s okay to update s2member-pro only, the IPN mess must be in the s2member plugin itself. s2member-pro is not messed up.

I joined the three abandoned messages above to this topic, since they’re a bit related (even though not exactly).

From memory @clavaque opted NOT to mention this vulnerability existed or that it was fixed, which I believe is a mistake. Knowing a produce is patched is better than not knowing if the authors are aware of any issues or not. No substantial piece of software can be considered 100% totally safe, and to assume so is foolish in the extreme. Writing software, especially open source software, is a HUGE task and I’m grateful every time I find a new product that that fits my needs. and I ALWAYS assume there are bugs awaiting discovery.

All that said does anyone know if shortcodes are configured to be executed within wordpress comments by default? I always have comments disabled on my site, so I never really think about it, but this newly announced “vulnerability” does make me consider it again…

The version before the latest is the one that was supposedly patched for the security issue, but my brain can be playing tricks on me, so don’t take what I say as gospel now or ever, just my perspective

To be honest I am more worried about @clavaque’s well-being because he suddenly disappeared without any sort of notice.

I really hope he’s okay.

Sooner or later, if he comes around, he’ll know what to do. Otherwise, we’ll figure it out too.

I don’t want to promise anything because I might not be able to deliver. I have previous experience as a systems analyst but I know nothing of php.

When my brain cooperates I am a fast learner, but I am terrified of promising anything without being able to deliver.

I am also not going to put a massive number of “brain frying hours” on a project without being rewarded for my work. Fixing gaps here and there for free is ok because I like the project and the community, but something massive as having to actually use a lot of energy spoons (I have CFS, it’s a common term we use) on this without earning enough might not happen.

I have a feeling we are somewhat safe and that we should not panic. Same when you get files that are modified and anti viruses give you a false positive because they don’t want liability when unable to properly assess a threat existence.

As much as I hate to admit it, it may be time to move on from S2member. If it were purely a free product, I could understand the lack of support. But me (and many here) paid good money for this and to get zero support is unfathomable.

I specifically left Memberful in order to have a one-time purchase of something that worked great. In the end, this old and barely maintained plugin is going to bite us in the butt with critical security vulnerabilities.

Maybe it’s time to see if the Stripe subscriptions we’re all using behind the scenes can just be used on the front end with some plugins or something. At least then we’d get their modern interface rather than a signup form that looks shady no matter how much CSS you put into it.

Well, @clavaque said he’s not abandoning the project. I assume he might be dealing with personal issues.

It’s surely difficult for him to keep the project going if he doesn’t get paid to do it, so I believe that he might (fairly) modify his business model, maybe charge per update or a monthly fee to get updates after a specific date.

When we deal with large corporations it’s usually revolting when the don’t grandfather us in and honor their original promises but when it’s a small creator like @clavaque I believe it’s more than fair to have some sort of affordable maintenance cost that’s a small fixed fee we pay on a monthly or yearly basis.

I still prefer to use s2member than other plugins that snoop our data and try to manage our subscriptions instead of allowing us to do it without sharing user information. I’d not accept that unless there were really no other way.

I am already in the talks with someone, thanks to @Gerard, who took the initiative and included me in the conversation. There will be news soon, very likely instructions on this very topic telling everybody which file to change and which modification to make, so everybody can implement such modifications.

I think I have another topic or two where I show modifications I made to fix other errors, if I can find those topics I’ll update them too, otherwise I might start new ones, in case anybody wants to add my “hacks” (mostly to fix IPN payment / cancellation related issues).

Stay tuned for news coming soon.

Thanks for this info. TBH if there was a paid-for upgrade on major versions like software used to be, I’d be all for that. But purchasing software, regardless of the in-place model, should include support, useful documentation, and improvements to keep up with changing technology. If @clavaque has things going on, that’s fine but it’s so quiet without any updates after weeks that is concerning.

The website is in desperate need of an update. The help articles are very out of date and many have not been updated in over a decade. Getting modern forms to use on our sites seems like a pipe dream. When a CRITICAL security issue comes up, there should be some form of acknowledgment and fix that’s either in the works or ready to go.

The fact that we all have to rely on this forum for everything and HOPE it solves our problems is… asking a lot.

If the business model has to change to make it more sustainable, then he can do that. But that doesn’t mean abandoning everyone here who paid for what is still being sold and we are on our own.

So… Did you find a better product or are you willing to build one with everything you say for what you ask, from scratch, to compete with it? Let us know because we might become your customers.

People love to complain.

I have personal difficulties and deal with health issues, amongst other things.

But, otherwise, if I were going to offer what you want, it would surely not be cheap.

This is not supposed to be a good “professional grade” product. It’s just something good enough when you run a small community.

I don’t think it’s fair to treat a single developer that’s clearly struggling as if he were a massive evil corporation enshitifying things.

I am also a user. I also wish for something better. I chose this product because it’s an “indie” solution that might lack here and there but that won’t rip me off for money or data.

As I mentioned, let’s give him some time. If he actually abandons the project, then we can think about the best next step.

People complain about subscriptions but without some sort of revenue isn’t sustainable. You get thousands of websites using your product with zero income, then an odd new customer per week or not even that.

You use this plugin because you likely also collect recurring subscriptions as you are aware you’d not be able to even fund your hosting expenses, let alone producing new content.

I am not defending a hefty subscription but things like the unlimited websites for a single license have to go. The least we can do is to pay per additional domain.

I didn’t check the forum stats yet (not sure if they’re visible to me, I’ll take a look later) but if we have a thousand users here paying at least 2 euros per month, on average, he’d get at least 1500 after fees that could at least mean he’d be able to spend a few hours per week working on very basic security updates, nothing else.

If we expect more, whatever new he comes up with should require extra.

For comparison, OneDrive broke shared folders almost an entire year ago. There’s thousands of complaints on an single thread. They’re a MASSIVE corporation and they’re ignoring the problem because they intentionally want to push people to upgrade to pay 2 ~ 5 times to get more storage per account by using dark patterns.

Yes, I get you’re frustrated when you see what you don’t understand (the security issues, for example, I assume you don’t understand because you didn’t come with a piece of code ot fix it even though it’s not that complex, did you?) but considering that I am here for more than half of a decade I can tell you that @clavaque doesn’t just dismiss us out of choice. I have no idea what is happening but we need to be more patient and understand the context. I have autism but I am not this tone deaf.

If you can have patience, that’s nice. Otherwise, just find a better solution and, if you want, share it with us.

We have a few users here donating time and energy trying to be helpful with ZERO compensation.

I had to register an emergency domain because everything went poof overnight for a few days, then thankfully came back.

I will do what I can when able, to help. There’s pieces of code that might be useful for the vulnerability issue, I am in a conversation with a third party and also @Gerard, via email.

I care about it, but I also feel overwhelmed. I also want to do everything I can to respect @clavaque’s ownership of the plugin and I didn’t learn php. I just copy pieces of code here and there, make adjustments using logical deduction etc.

I really hope he comes around. One thing I believe is that we need to have some sort of communication channel. Even if he comes here only 3 times per week or something. I am helping as a moderator here and even I can’t reach him, otherwise I’d surely have done that.

I am open to ideas, suggestions, thoughts. Sorry for anything.

I share your concern that s2member development has stagnated, at least since 2017 when the two lead developers, Jason Caldwell and Raam Dev, look to have left the project.

Both Jason and Raam now work for Automattic, which I’m not surprised at, they’ve shown their programming chops with developing such an excellent product as S2member.

But since 2017 there have only been two significant additions to the s2member codebase, which I think is very poor indeed.

The first is an Payments Log Add-on which is sold as an added extra, which I think should be included within s2member-pro
https://s2member.com/checkout/payments-log-addon/

and some additional functionality to coupons, who’s development was paid for/sponsored by one Carl Borsani, as explained on the s2member-pro changelog

= v250214 =

- (Pro) **Enhancement**: Improved coupon usage logging for better tracking.

- (Pro) **Enhancement**: Added a new single-use per user option for coupons. Thanks to Carl Borsani for sponsoring this.

- (Pro) **Enhancement**: Coupons can now be limited to specific pro-forms. Thanks to Carl Borsani for sponsoring this.

- (Framework) **Fix**: s2Get can now handle s2Member’s custom profile fields. Thanks to Gerard Earley for reporting this.

- (Framework) **Fix**: Updated the admin notice about the PayPal button encryption setting.

- (Pro) **Enhancement**: Improved data handling in the Remote Operations API. Props to Istvan.

- (Pro) **Enhancement**: Improved validation of the template attribute in pro-forms and s2Member-List shortcodes. Props to Istvan.

As to @clavaque’s situation, I’m sympathetic to anyone in difficult circumstances, but their circumstances are ultimately their concern not mine. My concern is making sure their product, s2member, which I’ve now invested a lot of time and effort into developing on isn’t going to slowly become a risk. I’ve invested a significant amount of time and effort in developing my site in s2member by the time I realised that s2member is pseudo-abandoned I’m not sure I’d have chosen it as the technology to base my website on, if I’d known.

I sincerely hope @clavaque pulls his finger out and makes clear the development status of s2member. The lack of timely responses, stagnant development and still broken PayPal encrypted buttons after two+ years is grave concern to me.

For instance almost a year ago I did a little work to implement UK Postcodes as a s2member user form type, implemented in exactly the same way as US Zip codes. It works very well and I’ve had it running on a website for many many months with no bugs, but I got ZERO response from @clavaque on this issue. I can implemented it on my own sites very easily but its the constant lack of response from @clavaque that concerns me.

You should directly add patches to GitHub s2member repo…

It’s the wrong payment model. 15-50 USD a year for s2member (including pro) would be much better instead of one time payment. I don’t know why it’s not changed many years ago. Give those who paid within last two years free, and that’s it.

Or maybe program a new checkout form and make that payable on subscription. The whole checkout experience really needs to be done newly and that’s not too hard. Including the complete possibility which fields to show and which not and getting rid of the ridiculous reload. The backend of s2member is pretty good once the learning curve is over. Plus integrate Stripe sources.

The content protection system is one of the best. Only niggle that standard browsers cannot resume downloads… it’s really not much except the checkout which is really missing. For invoicing there are many good solutions out there and S2 shouldn’t tackle it as it’s a minefield and huge huge topic. Also those solutions now all integrate directly into PayPal and stripe so it’s just needed that the data on checkout is parsed correctly onwards…

5-6 years ago I tried to change away but there was no single other membership plugin which allows the same flexibility on payments meaning subscription and fixed term. Nearly all others have lifetime and subscription only but no XX days/years. That makes moving away so hard.

Hello again!

Sorry for my delay.

So, the issue is on file s2member-pro/src/includes/classes/sc-member-list-in.inc.php

You need to replace the block:

 $custom_template = $attr['template'] && is_file(TEMPLATEPATH.'/'.$attr['template']) ? TEMPLATEPATH.'/'.$attr['template'] : $custom_template;
$custom_template = $attr['template'] && is_file(get_stylesheet_directory().'/'.$attr['template']) ? get_stylesheet_directory().'/'.$attr['template'] : $custom_template;
$custom_template = $attr['template'] && is_file(WP_CONTENT_DIR.'/'.$attr['template']) ? WP_CONTENT_DIR.'/'.$attr['template'] : $custom_template;

if($attr['template'] && !$custom_template) // Unable to locate the template file?
trigger_error(sprintf('Invalid `template=""` attribute. Could not find: `%1$s`.', esc_html($attr['template'])), E_USER_ERROR);

With…

		// Old version that needed to be sanitized, security vulnerability!!!
		//
		//			$custom_template = $attr['template'] && is_file(TEMPLATEPATH.'/'.$attr['template']) ? TEMPLATEPATH.'/'.$attr['template'] : $custom_template;
		//			$custom_template = $attr['template'] && is_file(get_stylesheet_directory().'/'.$attr['template']) ? get_stylesheet_directory().'/'.$attr['template'] : $custom_template;
		//			$custom_template = $attr['template'] && is_file(WP_CONTENT_DIR.'/'.$attr['template']) ? WP_CONTENT_DIR.'/'.$attr['template'] : $custom_template;
		//
		//			if($attr['template'] && !$custom_template) // Unable to locate the template file?
		//				trigger_error(sprintf('Invalid `template=""` attribute. Could not find: `%1$s`.', esc_html($attr['template'])), E_USER_ERROR);
		//

		//250331 Sanitize template attr.
		$upload_folder = basename(wp_upload_dir()['basedir']); // Get uploads folder name
		$attr['template'] = str_replace(['..', 'upload', $upload_folder], '', sanitize_text_field(esc_url_raw($attr['template'])));

		$custom_template = $attr['template'] && is_file(TEMPLATEPATH.'/'.$attr['template']) ? TEMPLATEPATH.'/'.$attr['template'] : $custom_template;
		$custom_template = $attr['template'] && is_file(get_stylesheet_directory().'/'.$attr['template']) ? get_stylesheet_directory().'/'.$attr['template'] : $custom_template;
		$custom_template = $attr['template'] && is_file(WP_CONTENT_DIR.'/'.$attr['template']) ? WP_CONTENT_DIR.'/'.$attr['template'] : $custom_template;

		if($attr['template'] && !$custom_template) // Unable to locate the template file?
		trigger_error(sprintf('Invalid `template=""` attribute. Could not find: `%1$s`.', esc_html($attr['template'])), E_USER_ERROR);
		//250331 End of Sanitization

If you’re using the PREVIOUS version 241216 From December of last year, you can use the file I attach below, and you must replace that block TWICE in that file (first occurrence at line 185, second occurrence a few lines below, you’ll see it about 50 lines below the first block or so.

If you’re using the LATEST (as of now) version 250214 from February 2025 you only need to do it ONCE on the SECOND Block that starts around line 216, since the first block already had been sanitized by @Clavaque.

His original sanitization block looks a bit different than mine, you can choose either (I only made changes to the comments) or make your own.

//250211 Sanitize template attr.
$upload_folder = basename(wp_upload_dir()['basedir']); // Get uploads folder name
$attr['template'] = str_replace(['..', 'upload', $upload_folder], '', sanitize_text_field(esc_url_raw($attr['template'])));</b>

$custom_template = $attr['template'] && is_file(TEMPLATEPATH.'/'.$attr['template']) ? TEMPLATEPATH.'/'.$attr['template'] : $custom_template;
$custom_template = $attr['template'] && is_file(get_stylesheet_directory().'/'.$attr['template']) ? get_stylesheet_directory().'/'.$attr['template'] : $custom_template;
$custom_template = $attr['template'] && is_file(WP_CONTENT_DIR.'/'.$attr['template']) ? WP_CONTENT_DIR.'/'.$attr['template'] : $custom_template;

if($attr['template'] && !$custom_template) // Unable to locate the template file?
trigger_error(sprintf('Invalid `template=""` attribute. Could not find: `%1$s`.', esc_html($attr['template'])), E_USER_ERROR);

This was brought to us thanks to the help of Istán Márton (Lana Codes) and you can find the vulnerability report reference at https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/s2member-pro/s2member-pro-250214-authenticated-contributor-local-file-inclusion-to-remote-code-execution-via-shortcode

Below is “MY” patched file, as mentioned, I worked on the version I am currently using, which is 241216 (I believe some of you are doing the same). I will upload a patched version for 250211 later tonight, maybe tomorrow.

sc-member-list-in.inc.php.for version 241216.zip (3.9 KB)

I applied it to mine and things seem to be working normally. I did not have a security warning. Can anybody test the patch and let me know if wordfence agrees with it?

I think I need to find the file for the pro form that was fixed (for people using 2024 December’s Version). I will also look for it by comparing both versions of the plugin to find the modified files. I wonder if that sanitization on the pro form isn’t the cause for issues some of you are reporting, though.

Please keep me posted. We’ll get this situation controlled somehow.

2 posts were split to a new topic: Possible Alternatives to s2Member

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/s2member/s2member-250214-authenticated-administrator-local-file-inclusion

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/s2member-pro/s2member-pro-250214-authenticated-contributor-local-file-inclusion-to-remote-code-execution-via-shortcode

What is the status of the fixes for these?

I moved your message back here, so you could find the answer above.

I am unlocking the topic for the time being. Just in case anybody wants to talk about it. I thought I was helping by closing it, but maybe it was a bad idea, sorry.

The report says the user needs to have admin privileges to be able to use that new “vulnerability”. It’s my understanding that if you’re an admin you’re supposed to have full control no matter what. What am I missing here?

Also, this is a feature of the plugin. We can inject php code. Not only use shortcodes.

What changed now, from before?