CVE-2024-12563: 
WordPress vulnerability analysis and mitigation

The s2Member Pro plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2024-12563) discovered in all versions up to and including 250214. The vulnerability was disclosed on March 18, 2025, affecting the plugin's 'template' attribute functionality (NVD, Wordfence Intel).

The vulnerability exists in the 'template' attribute implementation and allows authenticated attackers with contributor-level permissions or higher to include and execute arbitrary files on the server. This enables the execution of any PHP code contained within those files. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity (NVD).

The vulnerability can be exploited to bypass access controls, obtain sensitive data, or achieve arbitrary code execution on the affected server. Given the high CVSS score and the potential for code execution, this vulnerability poses a significant risk to affected WordPress installations (NVD).

Site administrators should update the s2Member Pro plugin to a version newer than 250214 as soon as it becomes available. Until a patch is released, it is recommended to review and potentially restrict contributor-level access to trusted users only (S2Member Changelog).