WordPress Plugin Vulnerabilities

GS Team Members < 2.2.4 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

Affects Plugins

Plugin icon
gs-team-members
Fixed in 2.2.4

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c146f89c-5df3-4aaf-b880-0ce6016dfb6d

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Verified
No
WPVDB ID
1c2d20b2-12c7-44b9-9bb2-005ef81f8d10

Timeline

Publicly Published
2023-11-22 (about 2 years ago)
Added
2024-01-24 (about 2 years ago)
Last Updated
2024-01-24 (about 2 years ago)

Other

Published
Title
Published
2023-07-13
Title
WPFunnels < 2.7.17 - Reflected Cross-Site Scripting
Published
2023-11-09
Title
WP Event Manager < 3.1.43 - Reflected XSS
Published
2025-04-01
Title
MX Time Zone Clocks <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-03
Title
Email Address Obfuscation < 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter
Published
2025-12-20
Title
ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.5 - Unauthenticated Stored Cross-Site Scripting