The vulnerability in the s2Member WordPress plugin is an Improper Control of Generation of Code flaw (CWE‑94) that allows an attacker to inject arbitrary code. If exploited, an attacker can execute any PHP code on the hosting server, leading to full compromise of the website and potentially the underlying server environment. The impact is functional, allowing total control over the site’s data, configuration and the host. The flaw is a code‑execution defect that directly threatens confidentiality, integrity, and availability.

The affected product is the s2Member plugin by Cristián Lávaque. All releases from the first available version up to and including version 250905 are vulnerable. No specific patched version is listed, but any release newer than 250905 is required to mitigate the issue. No other vendors or products are listed as impacted.

The CVSS score of 9 indicates high severity. The EPSS score is less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in CISA KEV. Because the flaw is remote code execution via the plugin, the likely attack vector is a malicious HTTP request to the plugin’s entry points, implying remote exploitation without user interaction. The risk remains high if the vulnerable plugin remains active on any publicly accessible site.