CVE-2025-11560

The Team Members Showcase WordPress plugin, versions prior to 3.5.0, is vulnerable to a reflected cross-site scripting (XSS) attack [1]. The plugin fails to properly sanitize and escape a user-supplied parameter before including it in the output of a page, enabling an attacker to inject arbitrary JavaScript or HTML into the response [1]. This type of vulnerability occurs when input is reflected back to the user without proper validation or escaping.

To exploit this issue, an attacker must craft a malicious URL containing the injected payload and deliver it to a victim [1]. The attack is reflected, meaning the payload is included in the immediate HTTP response and does not require persistent storage on the server. Notably, the advisory indicates that the vulnerability can be effectively used against high-privilege users, such as administrators, who may be more likely to follow links within the administrative context [1]. No special preconditions beyond standard user interaction are mentioned.

Successful exploitation could lead to arbitrary script execution in the victim's browser session [1]. In the context of a WordPress site, this could allow an attacker to perform actions as the targeted user, including modifying site settings, creating rogue admin accounts, or stealing session tokens, especially if the victim is an administrator [1]. The impact is heightened by the potential target audience of privileged users.

The vulnerability is fixed in version 3.5.0 of the plugin, released after the disclosure by researcher Gregory Allegoet [1]. Users of the Team Members Showcase plugin are strongly advised to update to the latest version to mitigate the risk. No workarounds are detailed in the available reference.