The vulnerability is a deserialization of untrusted data that allows an attacker to perform PHP object injection within the s2Member WordPress plugin. This weakness can enable the attacker to create arbitrary objects, potentially leading to remote code execution or escalation of privileges on the hosting server (inferred from the capability to instantiate malicious objects). The issue is identified as a CWE‑502 vulnerability, which is known to allow attackers to manipulate serialized data and inject malicious objects that bypass normal security checks.

The s2Member plugin, developed by Cristián Lávaque, is affected in all releases up to and including version 250701. WordPress sites that have this plugin installed and have not upgraded past that version are susceptible. The exact minimum affected version is not specified, but any instance of the plugin that is ≤ 250701 is vulnerable.

The CVSS score of 9.8 marks it as critical. The EPSS score of < 1 % suggests a very low current probability of exploitation, but the high severity means a successful exploit would be devastating. The vulnerability is not in the CISA KEV catalog. An attacker could potentially exploit it remotely by sending a crafted serialized object via a web request to the plugin, assuming the site allows user input that is deserialized without proper validation; this could lead to remote code execution (inferred). Because the weakness is a PHP object injection, it can bypass normal authorization checks if the attacker can submit data to the plugin’s entry point.