CVE-2024-8326

17.12.2024, 10:15

The s2Member  Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 241114 via the 'sc_get_details' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including user data and database configuration information, which can lead to reading, updating, or dropping database tables. The vulnerability was partially patched in version 241114.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Wordfence	CNA	8.8 HIGH				CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 52%

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://plugins.trac.wordpress.org/browser/s2member/trunk/src/includes/classes/sc-gets-in.inc.php

https://plugins.trac.wordpress.org/browser/s2member/trunk/src/includes/classes/sc-gets.inc.php

https://plugins.trac.wordpress.org/changeset/3188157/

https://plugins.trac.wordpress.org/changeset/3208315/

https://www.wordfence.com/threat-intel/vulnerabilities/id/410d4ab0-22dd-4993-afbf-ae6193b70977?source=cve