CVE Catalog

CVE-2026-12114

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

The Team Members – Multi Language Supported Team Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 8.7 inclusive. This is due to insufficient input sanitization and output escaping.

Risk Assessment

An authenticated attacker with administrator-level permissions can inject arbitrary scripts that execute whenever a user accesses the injected page, potentially leading to session theft, defacement, or further attacks. This affects only multi-site installations and those where unfiltered_html is disabled.

Recommendation

Immediately update the Team Members plugin to the latest available version. For multi-site installations, consider restricting administrator privileges or enabling unfiltered_html filtering.

Original NVD description (English source)

The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS