Team Members Showcase WordPress Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Team Members Showcase WordPress plugin, affecting versions prior to 3.5.0. The issue arises because the plugin fails to properly sanitize and escape a parameter before displaying it on the page. This vulnerability could be exploited against high-privilege users, such as administrators.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the WordPress admin area and access the 'edit.php' page for the 'wps-team-members' post type. Include a crafted 'taxonomy' parameter that contains a script payload, such as a script tag with JavaScript code, such as an alert displaying the document cookie.

Remediation

Users are advised to update the Team Members Showcase WordPress plugin to version 3.5.0 or later.