CVE-2024-12562

Name of the Vulnerable Software and Affected Versions s2Member Pro plugin for WordPress versions up to, and including, 241216

Description The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input from the s2member pro remote op parameter. This allows unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, but if a POP chain is present via an additional plugin or theme, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. The issue stems from the plugin's failure to properly sanitize user input. Millions of WordPress sites are potentially vulnerable.

Recommendations For versions up to, and including, 241216, consider disabling the s2member pro remote op parameter to minimize the risk of exploitation until a patch is available. Restrict access to the vulnerable plugin to prevent unauthenticated attackers from injecting PHP Objects. Avoid using the s2member pro remote op parameter in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.