CVE-2026-1994
Privilege Escalation in s2Member Plugin via Password Update Flaw
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| websharks | s2member | to 260127 (inc) |
| websharks | s2member | From 260215 (inc) |
| s2member | s2member | to 260127 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The s2Member plugin for WordPress has a vulnerability that allows privilege escalation through account takeover. This happens because the plugin does not properly verify a user's identity before allowing a password update. As a result, an unauthenticated attacker can change the password of any user, including administrators, and then use that access to take over their account.
What immediate steps should I take to mitigate this vulnerability?
I don't know
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows attackers to gain unauthorized access to user accounts, including those with administrative privileges. Attackers can change passwords without authentication, potentially leading to full control over the affected WordPress site, data breaches, and disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know