I tried to join the entire conversation on a single topic, listed, and I made the title a bit less obvious, just in case.
I hope this helps.
High Risk Vulnerability
Hey All,
Not sure if this is known or getting worked on but there is a security vulnerability in S2Member pro.
Please patch ASAP
WordPress s2Member Pro Plugin <= 241114 is vulnerable to Remote Code Execution (RCE)
1 Like
Email sent there is bouncing. 
This release fixes the vulnerability.
2 Likes
So this vulnerability was only when using s2get or also other occurrences?
I don’t think hiding the discussion of a highly exploitable vulnerability, which has just been fixed, is a very sensible thing to do. For one thing people will have no idea if the vulnerability is fixed which will undermine confidence in s2member
“Obscurity is not security”
No, the s2Get was something else. The vulnerabiity was related to the emails. I try not to give details just in case someone reads them and gets funny ideas.
True, although the way I see it, that’d be about ignoring the problem hiding it under the carpet, but here I am addressing it and releasing a fix.
There’s thousands of installations, and they don’t all update immediately, or even see the notifications immediately even if it said it’s urgent, so I prefer not giving away details and speeding up an awareness in someone with a bad intention before more sites could patch it.
Although the vulnerability required a few factors to be present together to be possible, I still prefer not to give away the details openly immediately. The security website also doesn’t mention the specifics. With the difference that if someone now inspects my release, he could figure out what it was and use it, so it will be better for more people to have updated first.
At least that’s how I think about it, and of course others think differently.
2 Likes