Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labib Ahmed Team Builder team-display allows Reflected XSS.This issue affects Team Builder: from n/a through <= 1.3.
Published: 2025-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to inject and execute arbitrary JavaScript in a victim’s browser when malicious input is reflected back in the response. This results in client-side script execution that can compromise the confidentiality and integrity of the user session. While the CVE entry does not enumerate specific downstream exploits, reflected XSS in a WordPress plugin can enable a range of client-side attacks.

Affected Systems

WordPress installations that use the Labib Ahmed Team Builder plugin up to and including version 1.3. The issue exists in the plugin’s team-display component and affects all sites that have this plugin enabled, regardless of other WordPress or plugin configurations.

Risk and Exploitability

The CVSS score of 7.1 rates the vulnerability as high severity. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack operator does not need special prerequisites beyond creating a malicious request that includes the reflected input; based on the description, it is inferred that the likely attack vector is through normal page rendering when a user follows a crafted URL. The vulnerability can be triggered simply by directing a user to a malicious link that passes untrusted data to the vulnerable component.

Generated by OpenCVE AI on May 1, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Team Builder plugin to a version newer than 1.3 in which the XSS defect has been fixed.
  • If immediate upgrade is not possible, sanitize or encode any user input that is reflected back by the plugin before rendering it in the page to prevent script execution.
  • Implement a Content Security Policy that disallows inline script execution or restricts script sources to trusted origins, adding an additional defensive layer against accidental XSS exposure.

Generated by OpenCVE AI on May 1, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9619 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labib Ahmed Team Builder allows Reflected XSS. This issue affects Team Builder: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labib Ahmed Team Builder allows Reflected XSS. This issue affects Team Builder: from n/a through 1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labib Ahmed Team Builder team-display allows Reflected XSS.This issue affects Team Builder: from n/a through <= 1.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labib Ahmed Team Builder allows Reflected XSS. This issue affects Team Builder: from n/a through 1.3.
Title WordPress Team Builder plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.830Z

Reserved: 2025-04-01T13:21:40.754Z

Link: CVE-2025-31907

cve-icon Vulnrichment

Updated: 2025-04-03T14:17:23.350Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:42.953

Modified: 2026-04-23T15:28:31.683

Link: CVE-2025-31907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:30:15Z

Weaknesses