Stored Cross-Site Scripting Vulnerability in s2Member WordPress Plugin
CVE-2025-13732

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
S2member – Excellent For All Kinds Of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Vendor
CVE Published:
19 February 2026

What is CVE-2025-13732?

The s2Member plugin, designed for managing memberships and content restriction on WordPress, suffers from a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping capabilities. Specifically, the vulnerability arises in the plugin's 's2Eot' shortcode, permitting authenticated attackers with Contributor-level access or higher to inject malicious web scripts. These scripts execute when users visit pages containing the malicious injection, posing significant risks to site integrity and user data.

Affected Version(s)

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions 0 <= 251005

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/s2member/trunk...
https://plugins.trac.wordpress.org/browser/s2member/trunk...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Yudha - DJ
.