What the vulnerability does
01Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
What the vulnerability does
Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.
Explanation of Vulnerability in Simple Terms
s2Member versions up to 250905 contain a code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on affected sites. The vulnerability requires high attack complexity but can compromise confidentiality, integrity, and availability across the entire system. Sites running vulnerable versions should update immediately to a patched release.
What an attacker can do
Run arbitrary PHP code on the site without authentication.
Potential impact on your site
Complete compromise of site data, user accounts, and server functionality if exploited.
Conditions required to exploit
Network access; high attack complexity (specific conditions or timing required).
Key dates
External resources
Related vulnerabilities