Team
by WordPress
Source repositories
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-14124 | Hig | 0.56 | 8.6 | 0.02 | Jan 5, 2026 | The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | ||
| CVE-2018-25162 | Med | 0.42 | 6.5 | 0.00 | Mar 6, 2026 | 2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are… | ||
| CVE-2024-43321 | Med | 0.42 | 6.5 | 0.00 | Aug 18, 2024 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS.This issue affects Team Showcase: from n/a through 1.22.23. | ||
| CVE-2026-43234 | Med | 0.29 | 5.5 | 0.00 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2… | ||
| CVE-2025-68340 | 0.00 | — | 0.00 | Dec 23, 2025 | In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the… | |||
| CVE-2024-9236 | 0.00 | — | 0.00 | May 15, 2025 | The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||
| CVE-2024-13439 | 0.00 | — | 0.00 | Feb 15, 2025 | The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with Subscriber-level… | |||
| CVE-2024-9923 | 0.00 | — | 0.01 | Oct 14, 2024 | The Team+ from TEAMPLUS TECHNOLOGY does not properly validate a specific page parameter, allowing remote attackers with administrator privileges to move arbitrary system files to the website root directory and access them. | |||
| CVE-2024-9922 | 0.00 | — | 0.01 | Oct 14, 2024 | The Team+ from TEAMPLUS TECHNOLOGY does not properly validate a specific page parameter, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files. | |||
| CVE-2024-9921 | 0.00 | — | 0.01 | Oct 14, 2024 | The Team+ from TEAMPLUS TECHNOLOGY does not properly validate specific page parameter, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify and delete database contents. |
- risk 0.56cvss 8.6epss 0.02
The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
- risk 0.42cvss 6.5epss 0.00
2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are…
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS.This issue affects Team Showcase: from n/a through 1.22.23.
- risk 0.29cvss 5.5epss 0.00
In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2…
- CVE-2025-68340Dec 23, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the…
- CVE-2024-9236May 15, 2025risk 0.00cvss —epss 0.00
The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
- CVE-2024-13439Feb 15, 2025risk 0.00cvss —epss 0.00
The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with Subscriber-level…
- CVE-2024-9923Oct 14, 2024risk 0.00cvss —epss 0.01
The Team+ from TEAMPLUS TECHNOLOGY does not properly validate a specific page parameter, allowing remote attackers with administrator privileges to move arbitrary system files to the website root directory and access them.
- CVE-2024-9922Oct 14, 2024risk 0.00cvss —epss 0.01
The Team+ from TEAMPLUS TECHNOLOGY does not properly validate a specific page parameter, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files.
- CVE-2024-9921Oct 14, 2024risk 0.00cvss —epss 0.01
The Team+ from TEAMPLUS TECHNOLOGY does not properly validate specific page parameter, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify and delete database contents.