Description
The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings.
Published: 2025-12-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Tracking Settings
Action: Apply Patch
AI Analysis

Impact

The Employee Spotlight – Team Member Showcase & Meet the Team plugin suffers from a missing authorization check in the employee_spotlight_check_optin() function, allowing authenticated users with Subscriber level access or higher to change opt‑in or opt‑out tracking settings. This flaw does not grant code execution or privilege escalation, but it permits an attacker to alter the tracking behavior of the site, potentially enabling unwanted data collection or disabling privacy safeguards.

Affected Systems

WordPress installations running the Employee Spotlight – Team Member Showcase & Meet the Team plugin version 5.1.3 or earlier are affected.

Risk and Exploitability

With a CVSS score of 4.3, the vulnerability is considered medium severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the issue is not listed in CISA’s KEV catalog. Exploitation requires only authenticated access with Subscriber or higher privilege, so the attack surface is limited to sites that assign such roles to users who can access the plugin’s settings page. The impact remains confined to the tracking configuration and does not compromise broader system integrity or confidentiality.

Generated by OpenCVE AI on April 22, 2026 at 16:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Employee Spotlight plugin to version 5.1.4 or later, which restores proper authorization for tracking settings.
  • If an immediate upgrade is not possible, restrict users with Subscriber role or below from accessing the plugin’s settings page using a role‑management plugin or custom code that removes the capability.
  • As a temporary measure, set the tracking option to the desired default value in the database or within the plugin’s configuration file to override any unauthorized changes.

Generated by OpenCVE AI on April 22, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Emarket-design
Emarket-design employee Spotlight
Wordpress
Wordpress wordpress
Vendors & Products Emarket-design
Emarket-design employee Spotlight
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings.
Title Employee Spotlight – Team Member Showcase & Meet the Team Plugin <= 5.1.3 - Missing Authorization to Authenticated (Subscriber+) Tracking Opt-In/Opt-Out Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Emarket-design Employee Spotlight
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:51.973Z

Reserved: 2025-11-19T14:00:48.283Z

Link: CVE-2025-13403

cve-icon Vulnrichment

Updated: 2025-12-15T15:25:21.155Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:47.447

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:15:21Z

Weaknesses