CVE-2024-12563
Published: 18 March 2025
Summary
CVE-2024-12563 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in S2Member (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-12563 is a Local File Inclusion vulnerability (CWE-98) in the s2Member Pro plugin for WordPress, affecting all versions up to and including 250214. The flaw exists in the handling of the 'template' attribute, which allows improper inclusion of local files. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the 'template' attribute, they can include and execute arbitrary files on the server, leading to PHP code execution. This enables bypassing access controls, obtaining sensitive data, or achieving full remote code execution.
Mitigation details are available in the official s2Member changelog at https://s2member.com/changelog/ and the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d3326e9d-504f-444f-baf7-03989594f483?source=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54096
Vulnerability details
The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute…
more
arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vuln in public-facing WordPress plugin enables exploitation of public-facing apps (T1190), local file reads for sensitive data (T1005), and PHP code execution for RCE via web shells (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the Local File Inclusion vulnerability by requiring validation of the 'template' attribute to block arbitrary local file paths and prevent PHP code execution.
Ensures timely identification, reporting, and patching of the flaw in s2Member Pro plugin versions up to 250214, eliminating the vulnerability.
Limits exploitation impact by enforcing least privilege, restricting contributor-level and higher access to only necessary permissions and reducing users able to abuse the 'template' attribute.