Description
The AMO Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's amoteam_skills shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The AMO Team Showcase plugin for WordPress allows authenticated users with contributor or higher privileges to insert arbitrary JavaScript into the page via the amoteam_skills shortcode. Because the plugin fails to properly sanitize or escape user‑supplied attributes, the injected script is persisted and executed for every visitor to the affected content. This is a classic stored XSS flaw that permits attackers to modify page content, steal session cookies, or execute other malicious actions within the user's browser context.

Affected Systems

WordPress sites running the AMO Team Showcase plugin, versions up to and including 1.1.4, are affected. The flaw resides in the amoteam_skills shortcode component of the AMO Team Showcase plugin.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is below 1 %, suggesting a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. It can be exploited only by authenticated users with contributor-level access or higher, so the attack vector is restricted to internal or compromised credentials rather than public. Because the payload is user‑controlled and stored, it remains active until the offending content is removed or the plugin is patched.

Generated by OpenCVE AI on April 20, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AMO Team Showcase plugin to version 1.1.5 or later, which removes the vulnerability.
  • If an upgrade is not possible, restrict contributor permissions on the site or disable the amoteam_skills shortcode for all users who are not trusted super‑administrators.
  • Implement strict input validation or a Content Security Policy on the site to mitigate the impact of any remaining stored XSS vectors.

Generated by OpenCVE AI on April 20, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4548 The AMO Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's amoteam_skills shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 25 Feb 2025 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Amothemo
Amothemo amo Team Showcase
CPEs cpe:2.3:a:amothemo:amo_team_showcase:*:*:*:*:*:wordpress:*:*
Vendors & Products Amothemo
Amothemo amo Team Showcase

Fri, 21 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Feb 2025 03:30:00 +0000

Type Values Removed Values Added
Description The AMO Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's amoteam_skills shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title AMO Team Showcase <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via amoteam_skills Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Amothemo Amo Team Showcase
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:33.983Z

Reserved: 2025-02-17T22:05:05.657Z

Link: CVE-2025-1407

cve-icon Vulnrichment

Updated: 2025-02-21T14:46:29.685Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-21T04:15:10.510

Modified: 2025-02-25T03:37:32.347

Link: CVE-2025-1407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses