Sensitive Information Exposure in WordPress Membership Plugin
CVE-2024-8326

8.8HIGH

Key Information:

Vendor: Wordpress
Status: S2member – Excellent For All Kinds Of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Vendor: CVE Published:; 17 December 2024

Summary

CVE-2024-8326 is a critical vulnerability in the s2Member plugin for WordPress, affecting all versions up to and including 241114. This vulnerability arises from the 'sc_get_details' function, allowing authenticated attackers with Contributor-level access or higher to access sensitive information such as user data and database configuration details. This exposure could lead to unauthorized reading, modification, or deletion of database tables, jeopardizing the security of sensitive user information and website integrity. A partial patch was introduced in version 241114, but users are advised to upgrade to mitigate associated risks.

Affected Version(s)

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions * <= 241114

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/s2member/trunk...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2024
Vulnerability Reserved
Aug 30, 2024

Credit

wesley