High Risk Vulnerability

I have a Pro account, so I have just tried contacting @clavaque directly, using the “s2Member Pro Question? Contact Us” button on: https://s2member.com/support/

In another thread, he says he “checks the support inbox daily”: Pro member support not responding

Hopefully we will get more details soon.

It may be that the vulnerability is only an issue under specific, narrow circumstances.

But until we know more, I have installed a “maintenance mode” plugin, put the site in maintenance mode with an apologetic message, and deactivated and deleted the s2member and s2member Pro plugins. Not great for our members, but better than getting hacked.

2 Likes

Hi guys.

Yes, I’m aware of that report, and am working on the fix to release it soon.

I won’t give the details here, but it’s something that can happen only under a combination of circumstances, so most aren’t affected by it.

If someone wants me to check his site to tell him if he’d be affected, you can email me at support@wpsharks.com with the site’s address so I take a look.

:slight_smile:

2 Likes

Thanks Christian!

1 Like

Thanks Christian and Bill. Good luck

1 Like

Hi all! Quick update: @clavaque did take a look at my site, and he assured me that this vulnerability would not affect it. Thanks, Cristián!

I did have trouble reaching the email address he gave above; not sure if it was an issue with my email or the wpsharks.com server, but my emails were not delivered.

But if you have a Pro membership and you use that contact form I described above, you should be able to use that form to reach him.

Thanks again, Cristián! I really appreciate the help, and good luck with the fix.

1 Like

Duplicate of this post.

1 Like

This is a disaster, CVE says they reported it Dec 2 and it still hasn’t been patched?

1 Like

Is there any response from S2 Member? It’s been at least 11 days since this was announced. I’m a bit surprised my client’s IT hasn’t demanded that S2 Member Pro be removed from all 6 of their sites. I need a response with some indication of when this will be fixed.

1 Like

The disaster is that the topic was already deleted! If that bug is existing it’s really serious

1 Like

Looks like they are working on this according to another older thread:

1 Like

Hello. I didn’t realize this was a duplicate post (original post , though it’s not showing on forum). As per the thread, Cristian is working on it. He suggests contacting him ( support@wpsharks.com) with your site URL so he can verify it’s secure in the meantime before he finds a fix. I will do so.

I’ve sanitized my original post to avoid advertising the issue.
MB

I hid it from the forum listing to make it less obvious for potentially bad actors. You can still find it if you’re in the conversation.

1 Like

I am receiving an alert that there is a critical vulnerability in S2member (pro).

Here is the link to the CVE

Here is the link to the original vulnerability report

Is this something you are aware of and will a patch be available?

According to the author there should be a patch soon but no ETA has been given

https://forums.wpsharks.com/t/high-risk-vulnerability-remote-code-execution/12522/10

1 Like

I tried to join the entire conversation on a single topic, listed, and I made the title a bit less obvious, just in case.

I hope this helps.

:slightly_smiling_face:

Hey All,
Not sure if this is known or getting worked on but there is a security vulnerability in S2Member pro.

Please patch ASAP

WordPress s2Member Pro Plugin <= 241114 is vulnerable to Remote Code Execution (RCE)

https://patchstack.com/database/wordpress/plugin/s2member/vulnerability/wordpress-s2member-excellent-for-all-kinds-of-memberships-content-restriction-paywalls-member-access-subscriptions-plugin-241114-remote-code-execution-rce-vulnerability?_a_id=431

1 Like

Email sent there is bouncing. :worried:

This release fixes the vulnerability.

2 Likes