Team Members < 5.0.4 - Authenticated Stored Cross-Site Scripting (XSS)

ID WPEX-ID:11DC3325-E696-4C9E-BA10-968416D5C864
Type wpexploit
Reporter SunCSR (Sun Cyber Security Research)
Modified 2021-01-21T06:00:58


Cross-site scripting vulnerabilities in Team Members version 5.0.3 and lower allow medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member.


Add a user to a team, then use <img src=x onerror=alert(/XSS/)> in the 'Description/biography' field.