Team Members < 5.3.2 – Author+ Stored XSS | CVE 2024-1331 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its Team options attributes before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Create/edit a team and add a member to it
2. Fill all the forms, upload a photo and input `" onmouseover='alert(1)'` in the "First name ", "Lastname" or "Link URL" field.
3. Put the resulting shortcode in a post, render the post and hover the user card / social link icon to trigger the XSS

Affects Plugins

Fixed in 5.3.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

b2bac900-3d8f-406c-b03d-c8db156acc59

Timeline

Publicly Published

2024-02-26 (about 1 year ago)

Added

2024-02-26 (about 1 year ago)

Last Updated

2024-03-05 (about 1 year ago)

Other

Published

Title

Published

2024-03-28

Title

The Plus Blocks for Block Editor | Gutenberg < 3.2.6 - Reflected Cross-Site Scripting

Published

2024-12-04

Title

WIP WooCarousel Lite < 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2019-06-26

Title

WebP Express < 0.14.8 - Authenticated Stored XSS

Published

2025-12-19

Title

Responsive and Swipe slider <= 1.0.2 - Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

Published

2023-10-17

Title

Category SEO Meta Tags <= 2.5 - Admin+ Stored XSS