CVE-2022-1568

CWE-79 — Cross-site Scripting (XSS)CWE-284 — Improper Access Control4 documents4 sources

Severity

4.8MEDIUM

EPSS

0.2%

top 57.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Team Members Wpdarko Team Members

Timeline

PublishedMay 30

Latest updateAug 18

Description

The Team Members WordPress plugin before 5.1.1 does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/team_members5.1.1 — 5.1.1

▶NVDwpdarko/team_members< 5.1.1

🔴Vulnerability Details

GHSA

Bots using py-cord as Discord API wrapper are vulnerable to shutdowns through remote code execution↗2022-08-18

▶

GHSA

GHSA-346x-rj4h-394r: The Team Members WordPress plugin before 5↗2022-05-31

▶

CVEList

Team Members < 5.1.1 - Admin+ Stored Cross-Site Scripting↗2022-05-30

▶