Team Members < 5.0.4 - Authenticated Stored Cross-Site Scripting (XSS)



Description
Cross-site scripting vulnerabilities in Team Members version 5.0.3 and lower allow medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member.



Proof of Concept The PoC will be displayed on May 30, 2020, to give users the time to update.

Affects Plugin

fixed in version 5.0.4

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher minhtuanact
Submitter SunCSR (Sun Cyber Security Research)
Submitter Website http://research.sun-asterisk.com/
Submitter Twitter https://twitter.com/tuanbgpro97
Views 598
Verified No
WPVDB ID 10228

Timeline

Publicly Published 2020-05-16 (10 days ago)
Added 2020-05-16 (9 days ago)
Last Updated 2020-05-16 (9 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin