Skip to main content

Team Showcase CVE-2025-62745

| EUVDEUVD-2025-209926 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-25 Patchstack GHSA-wq9m-x4hh-h63p
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:52 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS.

This issue affects Team Showcase: from n/a through 1.22.28.

AnalysisAI

Stored cross-site scripting in the PickPlugins Team Showcase WordPress plugin (versions up to and including 1.22.28) enables authenticated low-privileged users to inject persistent malicious scripts that execute in the browsers of other site users who view the affected content. The CVSS Changed scope (S:C) reflects this cross-user impact boundary - typical of stored XSS in WordPress plugins where contributor-level accounts can craft content consumed by administrators or visitors. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) combined with SSVC exploitation status of 'none' indicates negligible active threat currently.

Technical ContextAI

Team Showcase is a WordPress plugin by PickPlugins (CPE: cpe:2.3:a:pickplugins:team_showcase:*:*:*:*:*:*:*:*) used to display team member profiles on WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning plugin input fields - likely team member name, bio, or custom fields - accept user-supplied data that is stored in the WordPress database without adequate sanitization or output escaping, and subsequently rendered verbatim in HTML page output. The Changed scope in the CVSS vector (S:C) confirms the injected payload executes in the security context of victim users' browsers rather than the attacker's own session, a characteristic behavior of persistent/stored XSS as opposed to reflected variants.

RemediationAI

Update the Team Showcase plugin to a version beyond 1.22.28 via the WordPress plugin dashboard or the WordPress plugin repository. A specific patched release version is not confirmed from available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/team/vulnerability/wordpress-team-showcase-plugin-1-22-28-cross-site-scripting-xss-vulnerability and the plugin's official changelog to identify the first fixed release. As a compensating control pending patch deployment, restrict Team Showcase plugin configuration and content-editing capabilities to administrator-level roles only, removing contributor or editor access to plugin-managed fields; this eliminates the PR:L attack surface entirely. A WAF rule targeting XSS payload patterns in plugin input endpoints can provide an additional detection layer, though it should not substitute for patching due to filter bypass risk.

Share

CVE-2025-62745 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy