CVE-2026-12114

MEDIUM · 4.4

hype PURE HYPE · 12 hack

Recycled NVD data, zero PoC or in-the-wild signal, no advisory.

What: Stored XSS in Team Members WordPress plugin (versions ≤8.7) via admin settings; requires authenticated admin access on multisite or unfiltered_html-disabled installs. CVSS 4.4 (medium).

Why it matters: Published same day; no KEV listing, no public PoC confirmed, no vendor advisory signal yet. Requires admin-level permissions—lowers real-world risk substantially. Chatter is primarily feed-flooding and automated CVE tracking, not defender triage or exploitation reports.

Where it's seen: Bluesky posts recycling NVD data and risk aggregator summaries; no working exploit, no vendor response, no WordPress security team advisory visible yet.

RISK: LOW — Admin-only XSS on niche plugin with restricted deployment scope.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/30/2026, 6:26:18 PM

Description

The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS 3.1 breakdown

Exploitability 1.3 · Impact 2.7

vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Attack vector: Network
Complexity: High
Privileges required: High
User interaction: None
Scope: Changed
Confidentiality: Low
Integrity: Low
Availability: None

Weaknesses

CWE-79

References

Other · 8