Platform
wordpress
Component
s2member
Fixed in
260127.0.1
CVE-2026-1994 describes a privilege escalation vulnerability affecting the s2Member plugin for WordPress. This vulnerability allows unauthenticated attackers to modify the passwords of any user, potentially leading to complete account takeover, including administrator accounts. The vulnerability impacts versions 0.0.0 through 260127, and a fix is available in version 260215.
The impact of CVE-2026-1994 is severe. Successful exploitation allows an attacker to gain complete control over user accounts. This includes the ability to access sensitive data, modify website content, and potentially compromise the entire WordPress installation. An attacker could leverage this to steal customer data, deface the website, or launch further attacks against other systems accessible from the compromised WordPress server. The ability to escalate privileges to administrator accounts significantly expands the attacker's capabilities and increases the potential damage.
CVE-2026-1994 was published on February 19, 2026. The vulnerability's criticality (CVSS 9.8) indicates a high likelihood of exploitation. While no public exploits have been widely reported, the ease of exploitation and the potential impact make it a high-priority vulnerability. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting s2Member.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1994 is to immediately upgrade the s2Member plugin to version 260215 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing stricter password policies and enabling multi-factor authentication (MFA) for all administrator accounts. While not a complete solution, these measures can significantly reduce the risk of account takeover. Review WordPress user accounts and audit logs for any suspicious password changes.
Update to version 260215, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1994 is a critical vulnerability in the s2Member WordPress plugin allowing unauthenticated attackers to change user passwords, potentially leading to account takeover. It affects versions 0.0.0–260127.
If you are using the s2Member plugin for WordPress and your version is between 0.0.0 and 260127 (inclusive), you are potentially affected by this vulnerability.
Upgrade the s2Member plugin to version 260215 or later to resolve this vulnerability. If immediate upgrade is not possible, implement stricter password policies and enable multi-factor authentication.
While no widespread exploitation has been publicly reported, the vulnerability's criticality and ease of exploitation suggest a potential for active campaigns. Continuous monitoring is recommended.
Refer to the official s2Member website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-1994.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.