Description
The Employee Spotlight – Team Member Showcase & Meet the Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social URLs in all versions up to, and including, 5.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Employee Spotlight – Team Member Showcase & Meet the Team plugin for WordPress is vulnerable to Stored XSS because it fails to properly sanitize and escape data entered in the social URL fields. This weakness, identified as CWE‑79, allows an attacker to embed malicious scripts that will run in the web browsers of any user who views the affected page, potentially leading to defacement, cookie theft, or session hijacking.

Affected Systems

The vulnerability affects the WordPress plugin "Employee Spotlight – Team Member Showcase & Meet the Team" provided by emarket‑design. All plugin versions up to and including 5.1.2 are impacted. An authenticated attacker with Contributor level or higher can perform the exploit.

Risk and Exploitability

The CVSS score of 6.4 reflects a moderate risk of exploitation. Because the EPSS score is below 1% and the vulnerability is not listed in CISA KEV, the likelihood of widespread immediate exploitation is low, but the attack requires legitimate contributor credentials. Once a malicious script is injected, it executes with the privileges of the browsing user, potentially compromising confidentiality, integrity, and availability of site content.

Generated by OpenCVE AI on April 22, 2026 at 12:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Employee Spotlight plugin to the latest released version that contains the XSS fix.
  • If an upgrade cannot be performed immediately, disable the social URL fields in the plugin settings or modify the plugin code to sanitize output, and restrict Contributor+ access to trusted accounts only.
  • Conduct a search of all plugin data for injected scripts, remove any malicious payloads, and verify that no de‑obfuscated JavaScript remains in posts or pages.

Generated by OpenCVE AI on April 22, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 03 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Emarket-design
Emarket-design employee Spotlight
Wordpress
Wordpress wordpress
Vendors & Products Emarket-design
Emarket-design employee Spotlight
Wordpress
Wordpress wordpress

Sat, 01 Nov 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Employee Spotlight – Team Member Showcase & Meet the Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social URLs in all versions up to, and including, 5.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Employee Spotlight – Team Member Showcase & Meet the Team Plugin <= 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Emarket-design Employee Spotlight
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:41.328Z

Reserved: 2025-10-22T18:31:33.568Z

Link: CVE-2025-12090

cve-icon Vulnrichment

Updated: 2025-11-03T13:10:48.263Z

cve-icon NVD

Status : Deferred

Published: 2025-11-01T06:15:40.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses