s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 230815 - Information Exposure
Summary
| CVE | CVE-2024-0899 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-04-09 19:15:15 UTC |
| Updated | 2026-04-08 18:19:00 UTC |
| Description | The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthenticated attackers to see the contents of those posts and pages. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Problem Types: CWE-284 | CWE-284 CWE-284 Improper Access Control
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Clavaque | S2Member Excellent For All Kinds Of Memberships Content Restriction Paywalls Member Access Subscriptions | affected 230815 semver | Not specified |
| ADP | Wp Sharks | S2member | affected 230815 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/changeset | af854a3a-2127-422b-91ae-364da2661108 | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/80bfb470-a3df-497f-940d-051cc... | af854a3a-2127-422b-91ae-364da2661108 | www.wordfence.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Francesco Carlucci (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2024-03-18T00:00:00.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.