The s2Member plugin by Cristián Lávaque contains a code injection vulnerability identified as CVE-2024-51815. This vulnerability arises from improper control over code generation, which can allow an attacker to inject and execute arbitrary code within the affected versions (up to 241114). The CVSS 3.1 base score of 9.0 reflects a critical severity with network attack vector, high attack complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. No official patch or vendor advisory is currently provided, and no known exploits have been reported.

Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on affected systems without requiring privileges or user interaction. This can lead to full compromise of the affected environment, including unauthorized data disclosure, modification, or service disruption. The critical CVSS score underscores the potential for severe impact if exploited.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should monitor for updates from Cristián Lávaque or the s2Member project. Consider applying temporary mitigations such as restricting network access to the affected plugin or disabling it if feasible.