VYPR

Team Members

by WordPress

Source repositories

CVEs (7)

  • CVE-2025-32686HigApr 17, 2025
    risk 0.57cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in WPSpeedo Team Members wps-team allows Object Injection.This issue affects Team Members: from n/a through <= 3.4.4.

  • CVE-2025-8440MedSep 27, 2025
    risk 0.42cvss 6.4epss 0.00

    The Team Members plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the first and last name fields in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2024-38670MedJul 20, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Team Members allows Stored XSS.This issue affects Team Members: from n/a through 5.3.3.

  • CVE-2024-1331MedMar 18, 2024
    risk 0.40cvss 6.1epss 0.00

    The Team Members WordPress plugin before 5.3.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting…

  • CVE-2021-24128MedMar 18, 2021
    risk 0.35cvss 5.4epss 0.01

    Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the…

  • CVE-2022-3936MedJan 2, 2023
    risk 0.31cvss 4.8epss 0.01

    The Team Members WordPress plugin before 5.2.1 does not sanitize and escapes some of its settings, which could allow high-privilege users such as editors to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in a…

  • CVE-2022-1568MedMay 30, 2022
    risk 0.31cvss 4.8epss 0.01

    The Team Members WordPress plugin before 5.1.1 does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed