This vulnerability is an instance of improper neutralization of input during web page generation, allowing an attacker to inject and store malicious script code within the plugin’s data. Based on the description, the likely attack vector involves an attacker supplying crafted input into the Team Members plugin’s fields, which is then rendered unescaped on pages viewed by other site users. This stored XSS can be executed in the browsers of users who view the affected page, potentially enabling session hijacking, cookie theft, or other client‑side attacks against site visitors or administrators. The weakness is captured by CWE‑79, which concerns insecure rendering of user input.

The affected product is the WordPress plugin Team Members for Elementor Page Builder, developed by Sultan Nasir Uddin, and applies to all releases from the earliest version through version 1.0.4 inclusive.

The CVSS base score of 6.5 indicates moderate severity, and the EPSS score of less than 1 % suggests a very low probability of widespread exploitation at the current time; the vulnerability is not listed in the CISA KEV catalog. The likely attack path is through the plugin’s input fields where malicious script payloads can be stored; an attacker could broadcast such content that will be rendered on any site that has the plugin installed and is not yet patched. Successful exploitation would allow the attacker to run arbitrary client‑side code in the victim’s browser, compromising confidentiality, integrity, and potentially availability of the site’s content.