Description
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Published: 2026-02-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unauthenticated Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The s2Member plugin for WordPress can be exploited by any unauthenticated user to change the passwords of any account, including administrators, because the plugin fails to confirm the current user's identity before processing a password change. This flaw, identified as CWE‑269, allows an attacker to assume the privileges of the targeted account and thereby access or modify site content, user data, or all the site’s administrative functions. The vulnerability is present in all versions up to and including 260127.

Affected Systems

WordPress sites that use the clavaque s2Member plugin with a version of 260127 or earlier are affected. The plugin is commonly installed to enforce membership, content restrictions, and subscription access controls.

Risk and Exploitability

The CVSS score of 9.8 classifies this issue as critical, but the EPSS score of less than 1% reflects a low current exploitation probability. This vulnerability is not listed in CISA’s KEV catalog. An attacker can trigger the flaw by sending unauthenticated HTTP requests to the plugin’s password‑update endpoint, after which the attacker gains full control over the target account and potentially the entire WordPress installation.

Generated by OpenCVE AI on April 15, 2026 at 20:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the s2Member plugin to version 260128 or later, which implements proper user identity verification before password changes.
  • If an upgrade cannot be performed immediately, temporarily disable the plugin or block the password‑change endpoint using a firewall rule or .htaccess configuration to prevent unauthenticated access.
  • Configure a web application firewall or security plugin to reject unauthenticated password‑change requests and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 15, 2026 at 20:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Clavaque
Clavaque s2member – Excellent For All Kinds Of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Wordpress
Wordpress wordpress
Vendors & Products Clavaque
Clavaque s2member – Excellent For All Kinds Of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Title s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Clavaque S2member – Excellent For All Kinds Of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:09.633Z

Reserved: 2026-02-05T16:34:36.592Z

Link: CVE-2026-1994

cve-icon Vulnrichment

Updated: 2026-02-19T21:20:28.775Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:44.403

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses