The vulnerability is a classic Reflected XSS flaw caused by improper neutralization of input on a web page, identified as CWE-79. It allows an attacker to inject malicious scripts into the page that can be executed in the context of a victim’s browser, potentially leading to session hijacking, credential theft, or defacement. The impact is limited to confidentiality and integrity of user sessions and the integrity of web pages displayed to attackers’ victims, but it does not provide direct code execution or system compromise.

The flaw affects the s2Member WordPress plugin produced by Cristián Lávaque. All versions from the earliest available release up through and including 241216 are vulnerable. No specific build or module variants are listed, so any instance of the plugin with a version number less than or equal to 241216 is potentially exposed.

The CVSS v3 score of 7.1 reflects a medium to high severity, and the EPSS score of less than 1% indicates a low but non‑zero likelihood that the flaw is actively exploited. The flaw is not listed in the CISA KEV catalog. The most likely attack vector is a reflected XSS attack via crafted URLs or input fields that the plugin fails to sanitize; an attacker can lure a user to a crafted link that injects malicious script. Proper isolation of user data or use of a web application firewall can mitigate typical exploitation paths.