Team Members Multi Language Supported Team Plugin
Monthly
Persistent script injection in the Team Members - Multi Language Supported Team Plugin for WordPress (all versions through 8.7) enables authenticated administrators to embed malicious JavaScript into site pages via insufficient sanitization and escaping in admin settings fields, with injected payloads executing silently for every subsequent page visitor. The vulnerability is constrained to two non-default deployment scenarios: WordPress multisite network installations and single-site installations where the unfiltered_html capability has been explicitly revoked from administrators - standard single-site installs are unaffected. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept exists, placing real-world risk well below what the scope-changed CVSS vector might initially suggest.
Persistent script injection in the Team Members - Multi Language Supported Team Plugin for WordPress (all versions through 8.7) enables authenticated administrators to embed malicious JavaScript into site pages via insufficient sanitization and escaping in admin settings fields, with injected payloads executing silently for every subsequent page visitor. The vulnerability is constrained to two non-default deployment scenarios: WordPress multisite network installations and single-site installations where the unfiltered_html capability has been explicitly revoked from administrators - standard single-site installs are unaffected. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept exists, placing real-world risk well below what the scope-changed CVSS vector might initially suggest.