VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 12 known issues Latest disclosed Feb 18, 2026

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Vulnerabilities

Review known vulnerability records for the WordPress plugin s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions (`s2member`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-1994, CVE-2025-13732 and CVE-2025-62023, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
12
High or Critical
8
Patch Coverage
100%
Last Updated
Feb 20, 2026
Priority CVE Quick Links

Fast paths into s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
12
CVE-2026-1994 Critical 260215
CVE-2026-1994 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Privilege Escalation

s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover

CVE-2025-62023 Critical 251005
CVE-2025-62023 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Remote Code Execution

s2Member <= 250905 - Unauthenticated Remote Code Execution

CVE-2024-31237 Critical 240325
CVE-2024-31237 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Privilege Escalation

s2Member <= 240315 - Limited Privilege Escalation

CVE-2024-8326 High 241216
CVE-2024-8326 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Sensitive Information Exposure

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241114 - Authenticated (Contributor+) Sensitive Information Exposure

CVE-2025-58998 High 250905
CVE-2025-58998 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Vulnerability

s2Member <= 250701 - Unauthenticated PHP Object Injection

CVE-2024-51815 High 241216
CVE-2024-51815 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Remote Code Execution

s2Member (Pro) <= 241114 - Unauthenticated Remote Code Execution

CVE-2025-32137 High 250424
CVE-2025-32137 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Local File Inclusion

s2Member <= 250419 - Authenticated (Administrator+) Local File Inclusion

CVE-2011-5082 High 111220
CVE-2011-5082 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Cross-Site Scripting

s2Member® Framework (Membership, Member Level Roles, Access Capabilities, PayPal Members) < 111220 - Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
12 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
3 critical and 5 high severity findings.
Recent CVEs
CVE-2026-1994, CVE-2025-13732 and CVE-2025-62023
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Sorted by latest disclosure date so newly published issues surface first.

Plugin Critical Patched: Yes CVE-2026-1994
CVE-2026-1994: s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover

The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthentica...

Published
Feb 18, 2026
Patched Release
260215
Affected Versions
Versions up to 260127
Next Step
Update to 260215 or newer if supported.
Open CVE-2026-1994 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-13732
CVE-2025-13732: s2Member <= 251005 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient...

Published
Feb 18, 2026
Patched Release
260101
Affected Versions
Versions up to 251005
Next Step
Update to 260101 or newer if supported.
Open CVE-2025-13732 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2025-62023
CVE-2025-62023: s2Member <= 250905 - Unauthenticated Remote Code Execution

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 250905. This makes it possible for unauthenticated attackers to exec...

Published
Oct 01, 2025
Patched Release
251005
Affected Versions
Versions up to 250905
Next Step
Update to 251005 or newer if supported.
Open CVE-2025-62023 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-58998
CVE-2025-58998: s2Member <= 250701 - Unauthenticated PHP Object Injection

The s2Member plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 250701 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable so...

Published
Aug 21, 2025
Patched Release
250905
Affected Versions
Versions up to 250701
Next Step
Update to 250905 or newer if supported.
Open CVE-2025-58998 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-32137
CVE-2025-32137: s2Member <= 250419 - Authenticated (Administrator+) Local File Inclusion

The s2Member plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 250419 via the 'ws_plugin__s2member_log_file' parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute...

Published
Apr 04, 2025
Patched Release
250424
Affected Versions
Versions up to 250419
Next Step
Update to 250424 or newer if supported.
Open CVE-2025-32137 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-26879
CVE-2025-26879: s2Member Pro <= 241216 - Reflected Cross-Site Scripting

The s2Member Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 241216 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

Published
Feb 22, 2025
Patched Release
250214
Affected Versions
Versions up to 241216
Next Step
Update to 250214 or newer if supported.
Open CVE-2025-26879 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-11376
CVE-2024-11376: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241216 - Reflected Cross-Site Scripting

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, an...

Published
Feb 17, 2025
Patched Release
250214
Affected Versions
Versions up to 241216
Next Step
Update to 250214 or newer if supported.
Open CVE-2024-11376 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-8326
CVE-2024-8326: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241114 - Authenticated (Contributor+) Sensitive Information Exposure

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 241114 via the 'sc_get_details' function. This makes it pos...

Published
Dec 16, 2024
Patched Release
241216
Affected Versions
Versions up to 241114
Next Step
Update to 241216 or newer if supported.
Open CVE-2024-8326 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-51815
CVE-2024-51815: s2Member (Pro) <= 241114 - Unauthenticated Remote Code Execution

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions (Pro) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 241114. This makes it possible for unauthenticated attackers t...

Published
Dec 02, 2024
Patched Release
241216
Affected Versions
Versions up to 241114
Next Step
Update to 241216 or newer if supported.
Open CVE-2024-51815 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-31237
CVE-2024-31237: s2Member <= 240315 - Limited Privilege Escalation

The s2Member plugin for WordPress is vulnerable to limited privilege escalation in versions up to, and including, 240315. This is due to insufficient controls during user registration. This makes it possible for unauthenticated attackers to register with higher than the default p...

Published
Apr 05, 2024
Patched Release
240325
Affected Versions
Versions up to 240315
Next Step
Update to 240325 or newer if supported.
Open CVE-2024-31237 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-0899
CVE-2024-0899: s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 230815 - Information Exposure

The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthent...

Published
Mar 18, 2024
Patched Release
240315
Affected Versions
Versions up to 230815
Next Step
Update to 240315 or newer if supported.
Open CVE-2024-0899 Report Open CVE Reference
Plugin High Patched: Yes CVE-2011-5082
CVE-2011-5082: s2Member® Framework (Membership, Member Level Roles, Access Capabilities, PayPal Members) < 111220 - Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in the s2Member Pro plugin before 111220 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s2member_pro_authnet_checkout[coupon] parameter (aka Coupon Code field).

Published
Feb 12, 2012
Patched Release
111220
Affected Versions
Versions before 111220
Next Step
Update to 111220 or newer if supported.
Open CVE-2011-5082 Report Open CVE Reference