Quick facts

• Affected plugin: s2Member (membership / subscription plugin for WordPress)
• Vulnerable versions: ≤ 251005
• Fixed in: 260101
• CVE: CVE‑2025‑13732
• Vulnerability class: Stored Cross‑Site Scripting (XSS) via shortcode
• Required privilege to create the payload: Contributor (authenticated)
• CVSS (reported): 6.5 — User interaction required; impact varies by context
• Disclosure date: 18 Feb, 2026
• Researcher credit: Muhammad Yudha (as reported)

Why this matters for site owners (short version)

• Contributors can create posts and include shortcodes or rich content, even if they cannot publish directly.
• Stored XSS lets attacker-supplied scripts persist on your site and execute when viewed by other users (including admins).
• Even low‑privileged accounts can be leveraged for session theft, privilege escalation, or malware distribution.
• Membership sites, multi‑author blogs, and any site allowing Contributor accounts are at heightened risk.

How this vulnerability works (high level)

s2Member exposes shortcodes for membership logic (content restriction, payment buttons, etc.). The flaw occurs when shortcode attributes or inner content supplied by a Contributor are not properly sanitized or escaped before storage or rendering. When the stored data is later output, the browser may execute embedded JavaScript or dangerous HTML because it was not escaped.

Key components:

• Attacker foothold: an authenticated account with Contributor capabilities.
• Storage vector: post content, custom fields, or any storage area accepting shortcode text.
• Execution vector: rendering the shortcode on a page viewed by another user (admin, editor, or visitor).
• Root cause: insufficient input sanitization and/or improper escaping on output when expanding the shortcode.

Exploitation scenarios and likely impacts

Practical examples of possible impacts:

1. Privilege escalation via admin session theft

   An attacker stores a malicious payload in a draft or submitted post. An admin previews the page while logged in; the script exfiltrates the admin’s cookie or performs actions such as creating a new admin account via authenticated requests.

2. Persistent site defacement or content injection

   Malicious banners, fake login forms, or ads injected via stored XSS persist until removed and affect visitors.

3. Supply chain / customer impact on membership sites

   For sites with paid content, scripts can capture payment details or redirect subscribers to fraudulent pages.

4. Malware delivery

   Stored scripts can load additional malicious resources (miners, trackers, malware) from external domains when visitors load affected pages.

Who is at risk

• Any WordPress site running s2Member ≤ 251005.
• Sites that allow Contributor accounts (multi-author blogs, community sites, membership sites).
• Sites where administrators preview contributor content on a live site while authenticated.
• Sites without input/output sanitization, monitoring, or suitable WAF protections.

Immediate actions (what to do right now)

If your site runs a vulnerable s2Member version, act promptly:

1. Update s2Member

   Update to version 260101 or later as the highest priority. This fixes the root cause in the plugin.

2. If you cannot update immediately: apply compensating controls
   • Restrict new Contributor account creation and review active contributors.
   • Disable or avoid front‑end previews by administrators; use isolated staging to preview content.
   • Limit rendering of shortcodes on the front end for content created by untrusted roles.
3. Rotate sensitive credentials

   If an admin may have viewed malicious content, rotate admin passwords, invalidate sessions (change salts or force logout), and regenerate API keys.

4. Scan for suspicious content

   Search posts, custom fields, and options for patterns such as

   Review My Order

   0

   Subtotal

   Taxes & shipping calculated at checkout

   Checkout