CVE-2025-58998: 
WordPress vulnerability analysis and mitigation

A PHP Object Injection vulnerability (CVE-2025-58998) was discovered in the s2Member WordPress plugin versions up to and including 250701. The vulnerability was disclosed on August 21, 2025, and affects the plugin's handling of untrusted data deserialization. This security flaw allows unauthenticated attackers to perform object injection attacks (Rapid7, Patchstack).

The vulnerability is classified with a CVSS severity score of 9.8, indicating a critical security risk. The issue stems from improper handling of deserialization of untrusted data, which could lead to PHP Object Injection. While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, the vulnerability could be exploited if additional plugins or themes installed on the target system provide a suitable POP chain (Rapid7, Patchstack).

If successfully exploited, this vulnerability could allow attackers to perform various malicious actions including code injection, SQL injection, path traversal, and denial of service attacks. The impact is particularly severe as it requires no authentication to exploit and could potentially lead to the retrieval of sensitive data or arbitrary file deletion if a suitable POP chain is present (Patchstack).

The vulnerability has been patched in version 250905 of the s2Member plugin. Users are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a mitigation rule to block potential attacks until the update can be applied (Patchstack).