Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS.

This issue affects Team Showcase: from n/a through 1.22.28.
Published: 2026-05-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Team Showcase plugin for WordPress suffers a stored cross‑site scripting flaw that permits malicious JavaScript to be injected into pages generated by the plugin. This vulnerability stems from improper neutralization of input, as identified by CWE‑79, and could allow an attacker to hijack user sessions, deface content, or deploy phishing payloads. The impact is a complete compromise of client‑side confidentiality and integrity for any user who views affected content.

Affected Systems

Affecting the PickPlugins Team Showcase plugin, all releases from its initial deployment through version 1.22.28 are vulnerable. Users running these versions on WordPress sites are exposed; the issue does not affect other plugins or WordPress core components.

Risk and Exploitability

With a CVSS score of 6.5 the flaw presents a medium‑to‑high risk level, and its EPSS score is not currently available. The vulnerability is not listed in the CISA KEV catalog, reducing the chance of known widespread exploitation. The attack likely requires that an attacker can submit or modify content through the plugin’s interface, which may be restricted to administrators or contributors. Once injected, the script executes in the browser context of every user who loads the affected pages.

Generated by OpenCVE AI on May 25, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Team Showcase plugin to the latest release (1.22.29 or newer).
  • Ensure that any content submitted via the plugin is sanitized or escaped, or disable features that accept unsanitized user input.
  • If the plugin is not required, deactivate and remove it from the WordPress installation.

Generated by OpenCVE AI on May 25, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Pickplugins
Pickplugins team Showcase
Wordpress
Wordpress wordpress
Vendors & Products Pickplugins
Pickplugins team Showcase
Wordpress
Wordpress wordpress

Mon, 25 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS. This issue affects Team Showcase: from n/a through 1.22.28.
Title WordPress Team Showcase plugin <= 1.22.28 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Pickplugins Team Showcase
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-26T10:52:44.891Z

Reserved: 2025-10-21T14:59:50.024Z

Link: CVE-2025-62745

cve-icon Vulnrichment

Updated: 2026-05-26T10:52:40.345Z

cve-icon NVD

Status : Received

Published: 2026-05-25T22:16:31.933

Modified: 2026-05-25T22:16:31.933

Link: CVE-2025-62745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T22:30:16Z

Weaknesses