Description
Improper Control of Generation of Code ('Code Injection') vulnerability in cmoreira Team Showcase team-showcase-cm allows Code Injection.This issue affects Team Showcase: from n/a through < 25.05.13.
Published: 2025-06-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can inject PHP code via shortcodes in the Team Showcase plugin, enabling execution of arbitrary code within the WordPress environment. This code‑injection flaw (CWE‑94) can compromise the confidentiality, integrity, and availability of the site, allowing unauthorized data access, defacement, or further exploitation.

Affected Systems

The vulnerability affects the cmoreira Team Showcase plugin for all releases before 25.05.13. Users running any version of the plugin prior to this release are at risk, regardless of WordPress core version.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of <1% suggests a low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely exploit the flaw from a remote position by injecting malicious shortcodes into posts or pages; the attack vector is inferred from the plugin’s ability to process arbitrary shortcode content.

Generated by OpenCVE AI on April 30, 2026 at 12:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Team Showcase release (25.05.13 or newer) to remove the code‑injection flaw.
  • If an update cannot be applied immediately, disable the plugin or remove the shortcode handling capability to prevent malicious execution.
  • Inspect existing content for suspicious shortcodes, delete or sanitize them, and back up the site before performing the update.

Generated by OpenCVE AI on April 30, 2026 at 12:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17286 Improper Control of Generation of Code ('Code Injection') vulnerability in cmoreira Team Showcase allows Code Injection. This issue affects Team Showcase: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in cmoreira Team Showcase allows Code Injection. This issue affects Team Showcase: from n/a through n/a. Improper Control of Generation of Code ('Code Injection') vulnerability in cmoreira Team Showcase team-showcase-cm allows Code Injection.This issue affects Team Showcase: from n/a through < 25.05.13.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in cmoreira Team Showcase allows Code Injection. This issue affects Team Showcase: from n/a through n/a.
Title WordPress Team Showcase plugin < 25.05.13 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.969Z

Reserved: 2025-06-04T09:41:05.254Z

Link: CVE-2025-49250

cve-icon Vulnrichment

Updated: 2025-06-06T15:40:05.071Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:42.557

Modified: 2026-04-23T15:31:19.453

Link: CVE-2025-49250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:15:36Z

Weaknesses