The vulnerability is a Relative Path Traversal flaw that allows an attacker to craft input to the s2Member plugin that resolves to arbitrary file paths on the server. Exploitation can lead to reading sensitive files, exposing configuration data, or executing unintended code if the included content is interpreted as executable. The weakness is classified as CWE‑23, a classic path traversal issue. Based on the provided description the attack vector is a local-file inclusion vector; no remote network trigger is described, so it is inferred to be exploitable through the plugin’s input handling.

Cristián Lávaque’s s2Member WordPress plugin versions from the earliest available release up through 250419 are affected. Operators using any of these plugin versions on a WordPress site are at risk unless the plugin is updated or removed.

The CVSS score of 4.9 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time and the vulnerability is not listed in the CISA KEV catalog. The attack remains feasible if the plugin is actively used and if the host’s file permissions allow reading of sensitive files. The path traversal flaw does not require elevated privileges on the host beyond what the WordPress user already has. Overall, the risk is moderate but can be elevated if the attacker has web access and the plugin is enabled.