CVE-2025-26949

The Team Section Block plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. The plugin fails to sanitize user-supplied data, allowing attackers to inject arbitrary HTML and JavaScript that is stored and later executed when other users view the compromised team section [1].

Exploitation requires an authenticated user with contributor-level privileges or higher to create or update a team block with malicious payloads. The injected script executes when an administrator or visitor loads the affected page, potentially leading to session hijacking or site defacement. Successful exploitation does require user interaction, such as clicking a malicious link or visiting a crafted page [1].

An attacker can perform actions in the victim's browser context, including stealing cookies, redirecting to malicious sites, or injecting advertisements. The CVSS v3 score for this vulnerability is 6.5 (Medium), reflecting the need for elevated privileges and user interaction [1].

The vendor addressed the issue in version 1.1.0 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to protect their sites [1].