CVE-2025-49247

The Team Showcase plugin for WordPress, developed by cmoreira, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw affects all versions prior to 25.05.13. An attacker can inject arbitrary JavaScript code that executes in the victim's browser within the context of the vulnerable site [1].

The attacker can exploit this vulnerability by crafting a malicious link or submitting a specially crafted form that triggers the XSS payload. User interaction is required, such as clicking the link or visiting a crafted page, and the attacker may need a certain level of privilege to initiate the attack, but successful exploitation does not require network-level access beyond standard web browsing [1].

Successful exploitation could allow the attacker to perform actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing session cookies and other sensitive data. The impact is amplified because this type of vulnerability is often used in mass exploitation campaigns targeting thousands of WordPress sites regardless of their popularity or traffic level [1].

Patchstack has issued a mitigation rule and recommends updating the plugin to version 25.05.13 or later, which resolves the issue. For sites unable to update immediately, a web developer or hosting provider should be consulted for alternative protective measures [1].