{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0833", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-09T21:31:12.462Z", "datePublished": "2026-01-17T06:42:19.058Z", "dateUpdated": "2026-04-08T16:57:17.071Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:17.071Z"}, "affected": [{"vendor": "bplugins", "product": "Team Section Block \u2013 Showcase Team Members with Layout Options", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Team Section Block <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436953%40team-section&new=3436953%40team-section&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-01-09T21:46:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-16T17:54:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T16:06:59.823772Z", "id": "CVE-2026-0833", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:07:08.454Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0833", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T16:06:59.823772Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:07:04.759Z"}}], "cna": {"title": "Team Section Block <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bplugins", "product": "Team Section Block \u2013 Showcase Team Members with Layout Options", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-09T21:46:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-16T17:54:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436953%40team-section&new=3436953%40team-section&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:17.071Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0833", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:17.071Z", "dateReserved": "2026-01-09T21:31:12.462Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-17T06:42:19.058Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Team Section Block para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del bloque del plugin en todas las versiones hasta la 2.0.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en las URL de enlaces de redes sociales proporcionadas por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-0833", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-17T07:16:02.300", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436953%40team-section&new=3436953%40team-section&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T18:05:07.961276+00:00", "value": {"mitigation_remediation": ["Upgrade the Team Section Block plugin to version 2.0.1 or later", "Immediately remove any malicious URLs stored in the team blocks or replace the block content with sanitized inputs", "Restrict Contributor\u2011level roles or audit existing contributors to ensure only trusted users have edit permissions for the plugin blocks"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2013Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed the Team Section Block \u2013 Showcase Team Members with Layout Options plugin and is running version 2.0.0 or older. No other products or versions are listed as affected.", "description_and_impact": "The Team Section Block plugin for WordPress contains a stored cross\u2011site scripting flaw in all releases up to and including 2.0.0. Unsanitized social network link URLs are stored and later rendered without proper escaping, enabling a contributor or higher logged\u2011in user to inject arbitrary JavaScript into the page. An attacker can then execute code in the browsers of anyone viewing the affected page, potentially hijacking sessions, defacing content, or delivering phishing content. The weakness is a classic input validation error identified as CWE\u201179.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1\u202f%, meaning exploitation is currently considered unlikely. It is not listed in the CISA KEV catalog. Attackers must be authenticated with Contributor level or higher, which is the minimum capability required to edit the block and insert malicious URLs. Once injected, the payload executes for any viewer of the page, giving the attacker the ability to perform a range of malicious actions in the context of the victim site."}}}}, "created": "2026-01-19T09:19:20.428573+00:00", "updated": "2026-04-16T18:15:43.291622+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}