Extreme Vulnerability below version 250214: Please comment!

bill · 17 February 2025 22:23

Hi @clavaque, could you please comment on this vulnerability announcement:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/s2member-pro/s2member-pro-241216-unauthenticated-php-object-injection

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the ‘s2member_pro_remote_op’ vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

The fix is to upgrade to v250214.

But I don’t see any mention of this critical security vulnerability in the changelog: https://s2member.com/changelog

Can you comment on how to check whether a site running s2member might also have a “POP chain” in another plugin or theme, as described in that notice?

Thank you!

MacStainless · 11 March 2025 15:37

I have the same error on my wordpress site too. This is being flagged as a MAJOR vulnerability and there’s no update showing. I’m running Version 250214 + s2Member Pro v220421

@clavaque Is this a known issue that will be handled? I’d prefer to not disable the plugin but I also don’t want to run my site with a major security flaw present.

openmtbmap · 12 March 2025 05:18

Well the problem is that 250214 has serious IPN issues and is unusable for many setups.
Maybe it’s the fix that messes up s2member or another change, but 250214 is not release worthy

openmtbmap · 13 March 2025 10:55

The only change I was able to find related to this - is the following:

in [pro\s2member-pro\includes\classes\remote-ops.inc.php at line #135]

if (is_array($serialized_op = maybe_unserialize($op))) {

to

if (is_serialized($op) && is_array($serialized_op = @unserialize(trim($op), [‘allowed_classes’ => false]))) {

Not sure if there are more changes. I will use that change and look if it causes me any problems. I hope not - I hope this is not related to the IPN redirection messup.

— However I think there were actually two vulnerabilities present - because the changelog is as follows - so there is another one discovered by Istvan Marton from wordfence - :

(Pro) Enhancement : Improved data handling in the Remote Operations API. Props to István.
(Pro) Enhancement : Improved validation of the template attribute in pro-forms and s2Member-List shortcodes. Props to István.

I may try if I can just use s2member-pro 250214 by changing it’s version number to the older one.

Edit: it’s okay to update s2member-pro only, the IPN mess must be in the s2member plugin itself. s2member-pro is not messed up.