This vulnerability is an improper neutralization of input during web page generation that allows a DOM‑based XSS flaw in the Team Showcase plugin for WordPress. An attacker can embed malicious script code into the page that is rendered in the victim’s browser, potentially allowing session hijacking, defacement or the execution of arbitrary client‑side code. The flaw does not provide direct server‑side code execution, but it does compromise the confidentiality and integrity of user sessions and the overall integrity of the affected web content.

The issue affects the WordPress plugin Team Showcase developed by cmoreira. Versions prior to 25.05.13 are vulnerable; any installation using a version older than this is impacted until an update is applied.

The CVSS score of 7.1 classifies this as Medium‑High severity. The EPSS score of less than 1% indicates that practical exploitation in the field is expected to be rare. It is not listed in the CISA KEV catalog. Attackers would most likely craft a malicious URL that includes unsafe input parameters, causing the vulnerable script to execute in the victim’s browser context. The lack of a public exploit has reduced the immediate risk, but the impact of successful exploitation remains significant for affected sites.