CVE-2026-8870

Vulnerability

The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via shortcode attributes in all versions up to, and including, 1.1.2. The vulnerability exists because the plugin’s shortcode handler in public/partials/team-master-public-shortcode.php [1] does not sufficiently sanitize user-supplied attribute values before rendering them in the page output. Authenticated attackers with contributor-level access or above can inject arbitrary JavaScript into these attributes.

Exploitation

An attacker must possess a WordPress account with at least contributor-level privileges. The attacker can craft a shortcode attribute (such as slides_to_show, slides_autoplay, or any other attribute that is echoed unsafely) containing malicious JavaScript code. When the shortcode is embedded in a post or page, the injected script is stored in the database and executed in the browsers of users who view that page [1]. No additional user interaction is required beyond visiting the compromised page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim’s browser. This can lead to session hijacking, credential theft, defacement of the site, or redirection to malicious sites. Any user (including administrators) viewing the affected page is at risk. The attack is persistent (stored) and can propagate to multiple visitors.

Mitigation

The vendor has not released a patch as of the publication date (2026-05-27). Users should disable the plugin or remove all shortcodes that use vulnerable attributes until a fixed version is provided. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.