PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8870 adnanmoqsood CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the Team Master – A Modern WordPress Team Showcase plugin for WordPress. The flaw stems from insufficient input sanitization and output escaping within shortcode attributes, allowing authenticated attackers with contributor-level access or higher to inject arbitrary web scripts. These scripts execute when any user accesses a page containing the injected content. The vulnerability affects all versions up to and including 1.1.2. The issue was disclosed on 2026-05-27 and has been assigned a CVSS 3.1 score of 6.4 (Medium severity). No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
adnanmoqsood
Product
Team Master – A Modern WordPress Team Showcase
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Team Master plugin; security teams managing content management system (CMS) deployments; developers maintaining WordPress plugins with shortcode functionality; organizations with multi-author WordPress environments where contributor permissions are granted to untrusted users.

Technical summary

The Team Master plugin fails to properly sanitize and escape user-supplied input passed through shortcode attributes. Specifically, the public shortcode handler in team-master-public-shortcode.php (line 106) renders attribute values without adequate output encoding, enabling script injection. The vulnerability requires authenticated access at contributor level or above, limiting exposure to sites with untrusted content authors. The stored nature of the XSS means injected payloads persist and execute for all subsequent page visitors.

Defensive priority

medium

Recommended defensive actions

  • Update Team Master plugin to version 1.1.3 or later if available
  • Review and restrict contributor-level user permissions where possible
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact
  • Audit existing posts and pages for suspicious shortcode attributes
  • Consider Web Application Firewall (WAF) rules to filter malicious shortcode input

Evidence notes

Vulnerability confirmed via Wordfence security advisory and plugin source code analysis. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as the root cause. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources

2026-05-27