CVE-2026-1994

Name of the Vulnerable Software and Affected Versions s2Member versions prior to 260128

Description The s2Member plugin for WordPress is susceptible to privilege escalation via account takeover. The plugin does not properly validate a user’s identity before allowing password updates. This allows unauthenticated attackers to change passwords for any user account, including administrator accounts, potentially leading to full site takeover. A compiled exploit for this issue is being sold, with builds available for Windows and macOS.

Recommendations Versions prior to 260128 should be updated to version 260128 or later. As a temporary workaround, monitor for unauthorized password changes.