Atomic Edge analysis of CVE-2025-13732:
The s2Member WordPress plugin, versions up to and including 251005, contains an authenticated stored cross-site scripting (XSS) vulnerability in its ‘s2Eot’ shortcode handler. This vulnerability allows attackers with Contributor-level permissions or higher to inject arbitrary JavaScript into pages and posts, which executes when other users view the compromised content. The CVSS score of 6.4 reflects the authentication requirement and impact on confidentiality and integrity.

Atomic Edge research identifies the root cause as insufficient input sanitization of shortcode attributes in the `sc-eots-in.inc.php` file. The vulnerable function `c_ws_plugin__s2member_sc_eots_in::sc_eot_details()` processes user-supplied shortcode attributes without proper validation before they reach output contexts. Specifically, the `$attr` array containing shortcode parameters like `future_format`, `past_format`, `next_format`, and `empty_format` passes directly to output functions without escaping HTML special characters.

The exploitation method requires an authenticated attacker with at least Contributor-level access to WordPress. The attacker creates or edits a post or page containing the s2Member shortcode `[s2Eot]` with malicious JavaScript payloads in its format parameters. For example: `[s2Eot future_format=”alert(document.cookie)” past_format=””]`. When administrators or other users view the page containing this shortcode, the JavaScript executes in their browser context, potentially stealing session cookies or performing actions as the victim.

The patch in version 260101 adds comprehensive input sanitization to the shortcode handler in `s2member/src/includes/classes/sc-eots-in.inc.php`. The fix introduces a validation loop (lines 84-94) that applies type casting to numeric attributes (`user_id`, `offset`), `sanitize_text_field()` to text attributes (`debug`, `date_format`, `round_to`, `timezone`), and `wp_kses_post()` to format attributes (`future_format`, `past_format`, `next_format`, `empty_format`). The `wp_kses_post()` function specifically prevents XSS by allowing only safe HTML through WordPress’s KSES filter.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of any user viewing the compromised content. This can lead to session hijacking, account takeover, content manipulation, or redirection to malicious sites. For administrators, this could facilitate complete site compromise through privilege escalation. The stored nature means the payload persists across multiple visits until removed.