All Versions Critical Vulnerability

Without having see any details of the so called vulnerability I’m only able to go by the description linked in the first message in this thread… but by my estimation the ‘template’ attribute is able to call code contained within a php file.

So if your shortcodes don’t include an attribute tag pointing to a php file, then afaik there is no way to arbitarially include one in the shortcode and make it execute on the server.

The details of pro-forms templates are here.

Lastly the 250214 update included three lines of code to sanitise any included template attribute on a pro-form

So unless I’m very much mistaken this issue is a non issue. No?

In my not-so-modest-modest opinion, no self respecting admin would be stupid enough to give ANYONE permission to anything that could run code on their machine.

I mean ¯\_(ツ)_/¯ WTF? 

That’d be the stupidest thing ever.

I agree with you that we’re likely safe. Even without the patch.

We DO give anybody permission to run our php since wordpress is based on dynamic php, except for the cached parts etc.

The public can run and read but can’t modify.

Otherwise our websites would not work.

Or am I missing something?

The template attribute allows a named file to be called and used in place of the forms usual template, allowing customisation of s2member forms by enterprising sysadmins and or Devs.

Clearly if a user had editing rights they could add a shortcode with such an attribute or even run php code directly if they had the ezPHP plug-in (or similar) installed.

Without seeing details of the alleged vulnerability it may just be that the security researcher has seen this functionality and declared it prima fascia insecure. We just don’t know.

But clearly any admin that allows anyone access to their system in such as way that they could add code that runs on their system isn’t much of a sysadmin.

I agree with you.

If we only allow users read permissions and comments in plain text, even if they typed php code it should not be executed and be treated by wordpress as a plain text representation like when we post examples in forums, etc.

Even if they upload files (if they’re authors or if you allow them to upload images when commenting etc) I assume it’s up to Wordpress’s core (and major security plugins) to protect against such bad executions?

I will eventually try to understand the situation better but it will take me a while because I am a bit overwhelmed with personal matters

I’ll do the best I can, meanwhile, to be here on and off. Removing bad posts and trying to help when I see something familiar enough for me to try to clarify. I appreciate that we have a nice and patient community here.

I hope @clavaque comes around soon as well.

Meanwhile, enjoy the first spring weekend, if you’re in the Northern Hemisphere.

Hi @clavaque, could you please comment on this vulnerability announcement:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/s2member-pro/s2member-pro-241216-unauthenticated-php-object-injection

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the ‘s2member_pro_remote_op’ vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

The fix is to upgrade to v250214.

But I don’t see any mention of this critical security vulnerability in the changelog: https://s2member.com/changelog

Can you comment on how to check whether a site running s2member might also have a “POP chain” in another plugin or theme, as described in that notice?

Thank you!

I have the same error on my wordpress site too. This is being flagged as a MAJOR vulnerability and there’s no update showing. I’m running Version 250214 + s2Member Pro v220421

@clavaque Is this a known issue that will be handled? I’d prefer to not disable the plugin but I also don’t want to run my site with a major security flaw present.

Well the problem is that 250214 has serious IPN issues and is unusable for many setups.
Maybe it’s the fix that messes up s2member or another change, but 250214 is not release worthy

The only change I was able to find related to this - is the following:

• in [pro\s2member-pro\includes\classes\remote-ops.inc.php at line #135]

if (is_array($serialized_op = maybe_unserialize($op))) {

to

if (is_serialized($op) && is_array($serialized_op = @unserialize(trim($op), [‘allowed_classes’ => false]))) {

Not sure if there are more changes. I will use that change and look if it causes me any problems. I hope not - I hope this is not related to the IPN redirection messup.

— However I think there were actually two vulnerabilities present - because the changelog is as follows - so there is another one discovered by Istvan Marton from wordfence - :

• (Pro) Enhancement : Improved data handling in the Remote Operations API. Props to István.
• (Pro) Enhancement : Improved validation of the template attribute in pro-forms and s2Member-List shortcodes. Props to István.

I may try if I can just use s2member-pro 250214 by changing it’s version number to the older one.

Edit: it’s okay to update s2member-pro only, the IPN mess must be in the s2member plugin itself. s2member-pro is not messed up.

I joined the three abandoned messages above to this topic, since they’re a bit related (even though not exactly).

From memory @clavaque opted NOT to mention this vulnerability existed or that it was fixed, which I believe is a mistake. Knowing a produce is patched is better than not knowing if the authors are aware of any issues or not. No substantial piece of software can be considered 100% totally safe, and to assume so is foolish in the extreme. Writing software, especially open source software, is a HUGE task and I’m grateful every time I find a new product that that fits my needs. and I ALWAYS assume there are bugs awaiting discovery.

All that said does anyone know if shortcodes are configured to be executed within wordpress comments by default? I always have comments disabled on my site, so I never really think about it, but this newly announced “vulnerability” does make me consider it again…

The version before the latest is the one that was supposedly patched for the security issue, but my brain can be playing tricks on me, so don’t take what I say as gospel now or ever, just my perspective

To be honest I am more worried about @clavaque’s well-being because he suddenly disappeared without any sort of notice.

I really hope he’s okay.

Sooner or later, if he comes around, he’ll know what to do. Otherwise, we’ll figure it out too.

I don’t want to promise anything because I might not be able to deliver. I have previous experience as a systems analyst but I know nothing of php.

When my brain cooperates I am a fast learner, but I am terrified of promising anything without being able to deliver.

I am also not going to put a massive number of “brain frying hours” on a project without being rewarded for my work. Fixing gaps here and there for free is ok because I like the project and the community, but something massive as having to actually use a lot of energy spoons (I have CFS, it’s a common term we use) on this without earning enough might not happen.

I have a feeling we are somewhat safe and that we should not panic. Same when you get files that are modified and anti viruses give you a false positive because they don’t want liability when unable to properly assess a threat existence.

As much as I hate to admit it, it may be time to move on from S2member. If it were purely a free product, I could understand the lack of support. But me (and many here) paid good money for this and to get zero support is unfathomable.

I specifically left Memberful in order to have a one-time purchase of something that worked great. In the end, this old and barely maintained plugin is going to bite us in the butt with critical security vulnerabilities.

Maybe it’s time to see if the Stripe subscriptions we’re all using behind the scenes can just be used on the front end with some plugins or something. At least then we’d get their modern interface rather than a signup form that looks shady no matter how much CSS you put into it.

Well, @clavaque said he’s not abandoning the project. I assume he might be dealing with personal issues.

It’s surely difficult for him to keep the project going if he doesn’t get paid to do it, so I believe that he might (fairly) modify his business model, maybe charge per update or a monthly fee to get updates after a specific date.

When we deal with large corporations it’s usually revolting when the don’t grandfather us in and honor their original promises but when it’s a small creator like @clavaque I believe it’s more than fair to have some sort of affordable maintenance cost that’s a small fixed fee we pay on a monthly or yearly basis.

I still prefer to use s2member than other plugins that snoop our data and try to manage our subscriptions instead of allowing us to do it without sharing user information. I’d not accept that unless there were really no other way.

I am already in the talks with someone, thanks to @Gerard, who took the initiative and included me in the conversation. There will be news soon, very likely instructions on this very topic telling everybody which file to change and which modification to make, so everybody can implement such modifications.

I think I have another topic or two where I show modifications I made to fix other errors, if I can find those topics I’ll update them too, otherwise I might start new ones, in case anybody wants to add my “hacks” (mostly to fix IPN payment / cancellation related issues).

Stay tuned for news coming soon.