Medium severity6.5NVD Advisory· Published May 25, 2026

CVE-2025-62745

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS.

This issue affects Team Showcase: from n/a through 1.22.28.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The WordPress Team Showcase plugin versions up to 1.22.28 are vulnerable to Stored Cross-Site Scripting (XSS) due to improper input neutralization, allowing attackers to inject malicious scripts.

Vulnerability

The WordPress Team Showcase plugin (by PickPlugins) versions from n/a through 1.22.28 contains a Stored Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of user input during web page generation [1]. This allows an authenticated attacker with sufficient privileges to inject arbitrary JavaScript or HTML into the plugin's output, which is then stored and executed in the browsers of visitors viewing affected pages. The vulnerability does not require any special configuration beyond a default installation of the vulnerable plugin [1].

Exploitation

To exploit this vulnerability, an attacker must have a user role that can submit or modify team member content (e.g., via the WordPress admin interface) [1]. The attacker injects malicious script code into input fields (such as team member names, descriptions, or other fields) that are not properly sanitized. When an admin or other privileged user later views or previews the affected content (for instance, via a link or form submission), the injected script executes in their browser session. This user interaction (e.g., clicking a link or submitting a form) is required for the stored payload to trigger [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of an authenticated user's session. This can lead to session hijacking, defacement, redirection to malicious sites, credential theft, or injection of unauthorized advertisements and other HTML payloads [1]. The attacker can compromise the integrity and confidentiality of the affected WordPress site, potentially affecting all visitors when the malicious script runs on publicly accessible pages [1].

Mitigation

The official patch is available in plugin version 1.22.29 or later, and users are strongly advised to update immediately [1]. If updating is not possible, as a workaround, restrict the ability to submit or modify team content to only fully trusted administrators, and consider employing a Web Application Firewall (WAF) to detect and block XSS payloads. No known KEV listing for this CVE at the time of publication [1].

References

Cross Site Scripting (XSS) in WordPress Team Showcase Plugin

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Team Showcasellm-fuzzy
Range: <=1.22.28
Package: https://wordpress.org/plugins/team-showcase

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/wordpress/plugin/team/vulnerability/wordpress-team-showcase-plugin-1-22-28-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000