Skip to main content

Team Members Plugin EUVDEUVD-2026-40249

| CVE-2026-12114 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 Wordfence GHSA-xwjg-85ph-66cc
4.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.0 MEDIUM

PR:H for required admin credentials, AC:H for non-default multisite or unfiltered_html-disabled configuration, UI:R because a victim must visit the injected page for any impact to occur.

3.1 AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 03:13 vuln.today
CVE Published
Jun 30, 2026 - 02:30 cve.org
MEDIUM 4.4

DescriptionCVE.org

The Team Members - Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

AnalysisAI

Persistent script injection in the Team Members - Multi Language Supported Team Plugin for WordPress (all versions through 8.7) enables authenticated administrators to embed malicious JavaScript into site pages via insufficient sanitization and escaping in admin settings fields, with injected payloads executing silently for every subsequent page visitor. The vulnerability is constrained to two non-default deployment scenarios: WordPress multisite network installations and single-site installations where the unfiltered_html capability has been explicitly revoked from administrators - standard single-site installs are unaffected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress administrator
Delivery
Inject JavaScript payload via Team Members admin settings form
Exploit
Payload saved to WordPress database without sanitization
Execution
Victim loads page containing team showcase shortcode
Persist
Injected script executes in victim browser
Impact
Session tokens or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires two conditions to be simultaneously present: (1) attacker must hold WordPress administrator-level credentials (PR:H - a high privilege threshold); and (2) the target WordPress installation must be either a multisite network OR a single-site installation where the unfiltered_html capability has been explicitly disabled for administrators. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.4 Medium with vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N accurately characterizes the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor holding compromised or legitimate WordPress administrator credentials on a hardened multisite network logs into the admin panel, navigates to the Team Members plugin settings, and injects a JavaScript payload into a slider configuration field processed by slider_form_save.php - a field the plugin stores without sanitization. The payload is written to the WordPress database, and every subsequent visitor (including subscribers, editors, or other administrators) who loads any page embedding the team showcase shortcode silently executes the script in their browser, enabling session cookie exfiltration, credential harvesting, or defacement across the multisite network. …
Remediation A fix has been committed to the WordPress plugin repository as changeset 3580341 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3580341%40team-showcase-supreme&new=3580341%40team-showcase-supreme); however, a specific released version number for the patched build is not independently confirmed from the available data - site owners should update to the latest version available in the WordPress plugin directory and verify the installed version exceeds 8.7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy