Hi @clavaque, is it true that any s2member sites running code older than the most recent release are vulnerable to their administrator accounts being taken over?
I got this security alert from Wordfence:
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user’s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user’s passwords, including administrators, and leverage that to gain access to their account.
Can you comment on this? The changelog for 260215 has a very long list of fixes, and all I could find that seems to reference this alert is this:
(Framework) Security: Harden the registration password handler.
If everyone needs to update immediately to avoid the possibility of their website being taken over, I think that should be made extremely clear at the very top of the changelog for this release.
I have updated my own site, but I wanted to post here for others who may not be subscribed to get security alerts from a third party.

