Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS.
This issue affects Team Showcase: from n/a through 1.22.28.
AnalysisAI
Stored cross-site scripting in the PickPlugins Team Showcase WordPress plugin (versions up to and including 1.22.28) enables authenticated low-privileged users to inject persistent malicious scripts that execute in the browsers of other site users who view the affected content. The CVSS Changed scope (S:C) reflects this cross-user impact boundary - typical of stored XSS in WordPress plugins where contributor-level accounts can craft content consumed by administrators or visitors. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) combined with SSVC exploitation status of 'none' indicates negligible active threat currently.
Technical ContextAI
Team Showcase is a WordPress plugin by PickPlugins (CPE: cpe:2.3:a:pickplugins:team_showcase:*:*:*:*:*:*:*:*) used to display team member profiles on WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning plugin input fields - likely team member name, bio, or custom fields - accept user-supplied data that is stored in the WordPress database without adequate sanitization or output escaping, and subsequently rendered verbatim in HTML page output. The Changed scope in the CVSS vector (S:C) confirms the injected payload executes in the security context of victim users' browsers rather than the attacker's own session, a characteristic behavior of persistent/stored XSS as opposed to reflected variants.
RemediationAI
Update the Team Showcase plugin to a version beyond 1.22.28 via the WordPress plugin dashboard or the WordPress plugin repository. A specific patched release version is not confirmed from available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/team/vulnerability/wordpress-team-showcase-plugin-1-22-28-cross-site-scripting-xss-vulnerability and the plugin's official changelog to identify the first fixed release. As a compensating control pending patch deployment, restrict Team Showcase plugin configuration and content-editing capabilities to administrator-level roles only, removing contributor or editor access to plugin-managed fields; this eliminates the PR:L attack surface entirely. A WAF rule targeting XSS payload patterns in plugin input endpoints can provide an additional detection layer, though it should not substitute for patching due to filter bypass risk.
More in Team Showcase
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209926
GHSA-wq9m-x4hh-h63p