CVE-2026-12114
MediumCVSS 4.4Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The Team Members – Multi Language Supported Team Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 8.7 inclusive. This is due to insufficient input sanitization and output escaping.
Risk Assessment
An authenticated attacker with administrator-level permissions can inject arbitrary scripts that execute whenever a user accesses the injected page, potentially leading to session theft, defacement, or further attacks. This affects only multi-site installations and those where unfiltered_html is disabled.
Recommendation
Immediately update the Team Members plugin to the latest available version. For multi-site installations, consider restricting administrator privileges or enabling unfiltered_html filtering.
Original NVD description (English source)
The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

