CVE-2026-1994 POC (Proof-of-Concept)

The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Published: 2026-02-19

CVSS: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Download CVE-2026-1994 POC (Proof-of-Concept) here:

http://zeroday5ujpidshxn6zbfitgjltnm6ynx5pvtpmptj3lsq46b6vvrpqd.onion/exploit-for-cve-2026-1994.729/

Tip: Download official Tor Browser at https://www.torproject.org/download/ to access .onion links.

Check our portfolio:

http://zeroday5ujpidshxn6zbfitgjltnm6ynx5pvtpmptj3lsq46b6vvrpqd.onion/members/ccsfteam.254/

https://dnacompany.com/poc-471-cve-2026-27168/

https://dnacompany.com/poc-446-cve-2025-70831/

https://dnacompany.com/poc-16-cve-2026-23997/

https://dnacompany.com/poc-125-cve-2025-64111/

https://dnacompany.com/poc-853-cve-2026-3130/

Social media

Our Services

Contact us

Earthcrate