Support has not responded in 2 months for critical updates

  • cboatin18

    (@cboatin18)


    1 month ago

    • There is a critical update reported by Wordfence and support is not responding. We switched to this plugin one year ago because it was regularly updated and now we have to switch agin.
    • Plugin Name: s2Member Framework
    • Current Plugin Version: 250214
    • Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “s2Member Framework” until a patched version is available.
    • Vulnerability Information:  I can’t leave a link here but you can go to Wordfence’s website /Threat Intel/Vulnerabilities
    • Vulnerability Severity: 7.2/10.0 (High)
Viewing 1 replies (of 1 total)
  • Plugin Author Cristián Lávaque

    (@clavaque)

    2 weeks ago

    Hi cboatin18,

    I’m just seeing this review. I’m very sorry I worried you. Those happened right at a time when I had some personal issues that kept me away for a bit. I addressed those notices in recent releases.

    The reports you’re talking about were hugely exaggerated or misleading, and they didn’t give site owners enough details for you to asses the real risk. One “vulnerability” required one to be an administrator of the site to misuse s2Member’s Logs Viewer to see some other file’s contents… If you’re an administrator you don’t need that, you’d already have better ways to anything you want with the site. The other “vulnerability” required someone to be an Editor of the site to use an s2Member Pro shortcode, then he could load a file from the server, but it omitted to mention that the same user would need the capability to upload that file in the first place, in which case it doesn’t need s2Member to do something with it… Anyway, I addressed those so they’d remove the warnings.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this review.