Skip to main content

Team Member CVE-2025-68060

| EUVD-2025-209716 HIGH
SQL Injection (CWE-89)
2026-05-07 Patchstack GHSA-67p7-w6hw-p3w2
SQLi
7.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 09:01 vuln.today
CVE Published
May 07, 2026 - 07:44 nvd
HIGH 7.6

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMart Team Member allows Blind SQL Injection.

This issue affects Team Member: from n/a through 8.5.

AnalysisAI

SQL injection in Team Member WordPress plugin versions up to 8.5 allows authenticated administrators to extract database contents via blind SQL injection. Reported by Patchstack, this vulnerability requires high-level privileges (PR:H) but enables cross-scope confidentiality breach (S:C), allowing attackers to read sensitive data beyond their normal authorization boundaries. EPSS data and KEV status not provided; no public exploit code confirmed at time of analysis.

Technical ContextAI

This vulnerability affects the Team Member WordPress plugin (CPE: cpe:2.3:a:wpmart:team_member) developed by WPMart Team, all versions through 8.5. The flaw is classified as CWE-89 (SQL Injection), specifically a blind SQL injection variant where attackers cannot see query results directly but can infer data through application behavior, timing differences, or error-based responses. Blind SQL injection exploits insufficient input validation and parameterization in database queries, allowing attackers to inject malicious SQL syntax that the application executes against the backend database. WordPress plugins commonly interact with MySQL/MariaDB databases using wpdb class methods; when user input is concatenated directly into SQL queries without proper escaping or prepared statements, attackers can manipulate query logic to extract arbitrary database contents including credentials, user data, and plugin/theme configuration.

RemediationAI

Update the Team Member plugin to version 8.6 or later if a patched release is available through the WordPress plugin repository. Check the official plugin page at wordpress.org/plugins or the vendor's site (wpmart.org or related domain) for update availability. If no patch is released: (1) Remove or deactivate the Team Member plugin until a fix is available, assessing impact on site functionality before taking this step - sites using team member display features will lose that functionality. (2) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in requests to the plugin's endpoints, though blind SQLi can be difficult to detect via WAF alone and may cause false positives affecting legitimate admin actions. (3) Restrict WordPress administrator access to trusted IP addresses only via .htaccess, server configuration, or security plugins, noting this breaks remote administration workflows. (4) Enable comprehensive database activity monitoring and alerting for anomalous query patterns from the WordPress database user, which adds operational overhead but provides detection capability. Reference the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/team-showcase-supreme/vulnerability/wordpress-team-member-plugin-8-5-sql-injection-vulnerability?_s_id=cve for vendor response and patch confirmation.

Share

CVE-2025-68060 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy