Team Members < 5.0.4 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24128 | Plugin Vulnerabilities

Description

Cross-site scripting vulnerabilities in Team Members version 5.0.3 and lower allow medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member.

Proof of Concept

https://drive.google.com/file/d/1w5AmyBEOxAmtQ0T3uGKAB3o9w3ihNRAj/view

Add a user to a team, then use <img src=x onerror=alert(/XSS/)> in the 'Description/biography' field.

Affects Plugins

Fixed in 5.0.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

minhtuanact

Submitter

SunCSR (Sun Cyber Security Research)

Submitter website

http://research.sun-asterisk.com/

Submitter twitter

https://twitter.com/tuanbgpro97

Verified

No

WPVDB ID

11dc3325-e696-4c9e-ba10-968416d5c864

Timeline

Publicly Published

2020-05-16 (about 5 years ago)

Added

2020-05-16 (about 5 years ago)

Last Updated

2021-01-21 (about 4 years ago)

Other

Published

Title

Published

2025-01-17

Title

Image Source Control Lite – Show Image Credits and Captions < 2.28.1 - Reflected Cross-Site Scripting

Published

2025-02-23

Title

Variable Inspector < 2.6.3 - Reflected Cross-Site Scripting

Published

2025-06-05

Title

BNS Featured Category <= 2.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-10

Title

Deliver via Shipos for WooCommerce < 2.2.0 - Reflected Cross-Site Scripting

Published

2025-04-17

Title

WordPress Video Robot - The Ultimate Video Importer <= 1.20.0 - Reflected Cross-Site Scripting