Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
PR:H for required admin credentials, AC:H for non-default multisite or unfiltered_html-disabled configuration, UI:R because a victim must visit the injected page for any impact to occur.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Team Members - Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AnalysisAI
Persistent script injection in the Team Members - Multi Language Supported Team Plugin for WordPress (all versions through 8.7) enables authenticated administrators to embed malicious JavaScript into site pages via insufficient sanitization and escaping in admin settings fields, with injected payloads executing silently for every subsequent page visitor. The vulnerability is constrained to two non-default deployment scenarios: WordPress multisite network installations and single-site installations where the unfiltered_html capability has been explicitly revoked from administrators - standard single-site installs are unaffected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two conditions to be simultaneously present: (1) attacker must hold WordPress administrator-level credentials (PR:H - a high privilege threshold); and (2) the target WordPress installation must be either a multisite network OR a single-site installation where the unfiltered_html capability has been explicitly disabled for administrators. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.4 Medium with vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N accurately characterizes the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor holding compromised or legitimate WordPress administrator credentials on a hardened multisite network logs into the admin panel, navigates to the Team Members plugin settings, and injects a JavaScript payload into a slider configuration field processed by slider_form_save.php - a field the plugin stores without sanitization. The payload is written to the WordPress database, and every subsequent visitor (including subscribers, editors, or other administrators) who loads any page embedding the team showcase shortcode silently executes the script in their browser, enabling session cookie exfiltration, credential harvesting, or defacement across the multisite network. … |
| Remediation | A fix has been committed to the WordPress plugin repository as changeset 3580341 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3580341%40team-showcase-supreme&new=3580341%40team-showcase-supreme); however, a specific released version number for the patched build is not independently confirmed from the available data - site owners should update to the latest version available in the WordPress plugin directory and verify the installed version exceeds 8.7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40249
GHSA-xwjg-85ph-66cc