Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
s2Member plugin for WordPress: Passwords can be changed by attackers
CVE-2026-1994
Summary
The s2Member plugin for WordPress has a security flaw that allows attackers to change any user's password, including administrators, without knowing their current password. This could lead to unauthorized access to WordPress sites. Update to a version of the plugin that fixes this issue to prevent account takeovers.
Original title
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's...
Original description
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
nvd CVSS3.1
9.8
Vulnerability type
CWE-269
Improper Privilege Management
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026