{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69335", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:23.433Z", "datePublished": "2026-01-06T16:36:38.562Z", "dateUpdated": "2026-04-28T16:14:37.807Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "team-showcase", "product": "Team Showcase", "vendor": "Themepoints", "versions": [{"changes": [{"at": "3.0.0", "status": "unaffected"}], "lessThanOrEqual": "2.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:15.262Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.<p>This issue affects Team Showcase: from n/a through <= 2.9.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.807Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/team-showcase/vulnerability/wordpress-team-showcase-plugin-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Team Showcase plugin <= 2.9 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T16:55:17.919925Z", "id": "CVE-2025-69335", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:51:24.930Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69335", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T16:55:17.919925Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T16:55:44.690Z"}}], "cna": {"title": "WordPress Team Showcase plugin <= 2.9 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Themepoints", "product": "Team Showcase", "versions": [{"status": "affected", "changes": [{"at": "3.0.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.9"}], "packageName": "team-showcase", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:15.262Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/team-showcase/vulnerability/wordpress-team-showcase-plugin-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.<p>This issue affects Team Showcase: from n/a through <= 2.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.807Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69335", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:37.807Z", "dateReserved": "2025-12-31T20:12:23.433Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:38.562Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9."}], "id": "CVE-2025-69335", "lastModified": "2026-04-27T21:16:24.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-06T17:15:46.323", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/team-showcase/vulnerability/wordpress-team-showcase-plugin-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:05:16.623402+00:00", "value": {"mitigation_remediation": ["Upgrade the Team Showcase plugin to the latest published version.", "If an update is not available, deactivate or uninstall the plugin to remove the vulnerability from the site.", "Ensure that any data output by the plugin is escaped or sanitized using WordPress core functions such as wp_kses()."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting in the WordPress Team Showcase plugin"}, "threat_synthesis": {"affected_systems": "The Team Showcase plugin by Themepoints, with affected releases from the initial version through version 2.9, frames WordPress sites that use the plugin.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting (XSS) flaw that originates from improper neutralization of input during web page generation. Attackers can inject malicious scripts that are saved to the database and executed when other users view pages that display the data. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "With a CVSS score of 6.5 the flaw presents moderate\u2011to\u2011high severity. The EPSS score of less than 1% indicates a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the most likely attack vector is through submittable fields within the plugin that store input without proper sanitization, allowing an attacker to inject code that runs in the browsers of site visitors."}}}}, "created": "2026-01-07T10:09:03.510986+00:00", "updated": "2026-04-28T10:15:28.848286+00:00", "vendors": ["themepoints", "themepoints$PRODUCT$team_showcase", "wordpress", "wordpress$PRODUCT$wordpress"]}