PatchSiren cyber security CVE debrief
CVE-2025-62745 PickPlugins CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in the Team Showcase WordPress plugin by PickPlugins, affecting versions up to and including 1.22.28. The flaw stems from improper neutralization of input during web page generation (CWE-79), allowing authenticated attackers with low privileges to inject malicious scripts that execute in victims' browsers. The vulnerability was published to the CVE List on May 25, 2026, with subsequent modification on May 26, 2026. NVD currently lists this entry with a status of 'Deferred'. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, and changed scope, resulting in a medium severity score of 6.5. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- PickPlugins
- Product
- Team Showcase
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using the PickPlugins Team Showcase plugin, security teams managing WordPress deployments, and developers responsible for plugin security updates should prioritize this vulnerability for remediation.
Technical summary
The Team Showcase plugin fails to properly sanitize user-supplied input before rendering it in web pages, resulting in a stored XSS condition. An attacker with low-privilege authenticated access can inject malicious JavaScript payloads that persist in the application and execute when other users view affected team showcase pages. The vulnerability requires user interaction from victims and operates within the changed scope context of the CVSS 3.1 framework.
Defensive priority
medium
Recommended defensive actions
- Update the PickPlugins Team Showcase WordPress plugin to a version newer than 1.22.28 as soon as a patched release becomes available
- Review and restrict user roles with plugin access to minimize exposure from low-privilege authenticated attackers
- Implement Content Security Policy headers and output encoding defenses as compensating controls
- Monitor for unusual script injection activity in plugin-generated team showcase content
- Verify plugin update availability through the WordPress admin dashboard or official PickPlugins channels
Evidence notes
The vulnerability description and affected version range are sourced from the official CVE record and NVD entry. CVSS scoring details and CWE classification are derived from NVD metadata. The Patchstack reference provides additional technical context regarding the affected plugin and vulnerability type.
Official resources
-
CVE-2025-62745 CVE record
CVE.org
-
CVE-2025-62745 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The vulnerability was disclosed through Patchstack's vulnerability database and subsequently assigned CVE-2025-62745. The affected vendor is PickPlugins, with the Team Showcase plugin being the specific product impacted.