CVE-2026-1994

EPSS 0.07%
Veröffentlicht 19.02.2026 06:49:43
Zuletzt bearbeitet 19.02.2026 15:52:39
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerclavaque

≫

Produkt s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Default Statusunaffected

Version <= 260127

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.21

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://www.wordfence.com/threat-intel/vulnerabilities/id/6c31cf92-26b7-484d-8c93-ce241d655d07?source=cve

https://plugins.trac.wordpress.org/browser/s2member/tags/260127/src/includes/classes/registrations.inc.php#L74

https://plugins.trac.wordpress.org/changeset/3461625/s2member#file5

https://nvd.nist.gov/vuln/detail/CVE-2026-1994

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-1994

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-1994

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-1994