CVE-2024-1331

CWE-79Cross-site Scripting (XSS)CWE-2095 documents5 sources
Severity
6.1MEDIUM
EPSS
0.5%
top 34.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Team MembersWpdarko Team Members
Timeline
PublishedMar 18

Description

The Team Members WordPress plugin before 5.3.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/team_members< 5.3.2

🔴Vulnerability Details

3
GHSA
GHSA-vhh4-7pjp-752m: The Team Members WordPress plugin before 52024-03-18
CVEList
Team Members < 5.3.2 - Author+ Stored XSS2024-03-18
GHSA
ClickHouse vulnerable to client certificate password exposure in client exception2023-05-12

💥Exploits & PoCs

1
Nuclei
Lazy Blocks <= 3.8.2 - Cross-Site Scripting
CVE-2024-1331 (MEDIUM CVSS 6.1) | The Team Members WordPress plugin b | cvebase.io