What is CVE-2025-68060?

CVE-2025-68060 is a SQL Injection vulnerability affecting the Team Members – Multi Language Supported Team Plugin for WordPress, specifically in versions up to and including 8.5. It allows authenticated users with editor-level access or higher to execute arbitrary SQL queries against the database.

How does the SQL Injection work in this vulnerability?

The vulnerability arises from insufficient escaping of user-supplied parameters in SQL queries. An attacker can manipulate input parameters to include SQL injection payloads, allowing them to extract sensitive information from the WordPress database.

Who is affected by this vulnerability?

Users of the Team Members – Multi Language Supported Team Plugin for WordPress who are running version 8.5 or earlier are affected. Additionally, only authenticated users with editor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Team Members – Multi Language Supported Team Plugin installed on your WordPress site. If it is version 8.5 or earlier, your site is at risk.

What should I do to fix this vulnerability?

The vulnerability has been patched in version 8.6 of the plugin. To mitigate the issue, you should update the Team Members – Multi Language Supported Team Plugin to version 8.6 or later as soon as possible.

What is the risk level of this vulnerability?

CVE-2025-68060 has a CVSS score of 4.9, categorized as Medium severity. This indicates that while the vulnerability can lead to data exfiltration, it requires authenticated access, limiting the overall risk to sites.

What kind of data could be exposed through this vulnerability?

Successful exploitation of this vulnerability could allow attackers to access sensitive data such as usernames, password hashes from the wp_users table, user meta information, and potentially other database content.

How does the proof of concept demonstrate the issue?

The proof of concept for this vulnerability typically involves sending a crafted request to a vulnerable AJAX action or shortcode handler, manipulating parameters to include SQL injection payloads. This demonstrates how the vulnerability allows attackers to execute arbitrary SQL against the database.

What are prepared statements, and why are they important?

Prepared statements are a way to execute SQL queries where the parameters are bound separately from the query itself. This prevents SQL injection by ensuring that user input is treated as data, not executable code, which is crucial for securing database interactions.

Can this vulnerability lead to a complete site takeover?

While CVE-2025-68060 allows for data extraction, the requirement for authenticated access means that it does not directly enable complete site takeover. However, it can lead to privilege escalation and sensitive data exposure.

What is the significance of the code diff in the patch?

The code diff from version 8.5 to 8.6 indicates that the plugin’s version was updated, but the actual fix likely involves changes in how SQL queries are constructed in other files. The patch should implement proper input validation and escaping to prevent SQL injection.

Is there a way to mitigate the risk if I cannot update immediately?

If you cannot update the plugin immediately, consider restricting access to the WordPress admin area, limiting editor-level access, and monitoring for unusual database activity as temporary mitigation measures.

Published : May 16, 2026

CVE-2025-68060: Team Members – Multi Language Supported Team Plugin <= 8.5 – Authenticated (Editor+) SQL Injection (team-showcase-supreme)

CVE ID CVE-2025-68060

Plugin team-showcase-supreme

Severity Medium (CVSS 4.9)

CWE 89

Vulnerable Version 8.5

Patched Version 8.6

Disclosed May 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68060:

This is an SQL Injection vulnerability in the Team Members – Multi Language Supported Team Plugin for WordPress, affecting versions up to and including 8.5. An authenticated attacker with editor-level access or higher can inject arbitrary SQL queries into existing database operations, potentially extracting sensitive information. The vulnerability carries a CVSS score of 4.9 (Medium).

Root Cause: The code diff shows only a version bump from 8.5 to 8.6 in the plugin’s main file (team-showcase-supreme/index.php). The actual vulnerable code is not shown in the diff, which means the vulnerable SQL query exists in other plugin files. The description confirms insufficient escaping on user-supplied parameters and lack of prepared statements in SQL queries. The vulnerability likely resides in an AJAX handler or shortcode callback that accepts user input and directly concatenates it into SQL queries without proper sanitization or parameterization.

Exploitation: An authenticated attacker with editor-level access or higher would send a crafted request to a vulnerable WordPress AJAX action or shortcode handler. The attacker would manipulate a parameter (likely a numeric ID or text field) to contain SQL injection payloads such as `’ OR 1=1– -` or `’ UNION SELECT …`. Since the plugin fails to escape the parameter and does not use prepared statements, the injected SQL executes against the WordPress database.

Patch Analysis: The patch increments the version number from 8.5 to 8.6, indicating that the actual fix was applied to the SQL query implementation in other files of the plugin. The patch likely adds proper input validation and escaping (e.g., using `intval()` for numeric parameters or `$wpdb->prepare()` with placeholders) to prevent SQL injection. Before the patch, raw user input was directly embedded in SQL queries. After the patch, the plugin uses parameterized queries or strict type checking.

Impact: Successful exploitation allows an attacker to extract sensitive data from the WordPress database, including usernames and password hashes from the `wp_users` table, user meta information, and potentially post content or configuration data. Since the attacker requires editor-level access, the impact is limited to privilege escalation and data exfiltration but not complete site takeover from an unauthenticated position.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/team-showcase-supreme/index.php
+++ b/team-showcase-supreme/index.php
@@ -8,14 +8,14 @@
   Author URI: http://www.wpmart.org/
   Text Domain: team-showcase-supreme
   Domain Path: /languages
-  Version: 8.5
+  Version: 8.6
  */
 if (!defined('ABSPATH'))
    exit;

 define('wpm_6310_plugin_url', plugin_dir_path(__FILE__));
 define('wpm_6310_plugin_dir_url', plugin_dir_url(__FILE__));
-define ('WPM_PLUGIN_CURRENT_VERSION', 8.5);
+define ('WPM_PLUGIN_CURRENT_VERSION', 8.6);
 define( 'WPM_6310_PLUGIN_LANGUAGE_PATH', dirname( plugin_basename( __FILE__ ) ) . '/languages' );

 add_shortcode('wpm_team_showcase', 'wpm_team_showcase_supreme_shortcode');

Frequently Asked Questions

What is CVE-2025-68060?
Understanding the vulnerability
CVE-2025-68060 is a SQL Injection vulnerability affecting the Team Members – Multi Language Supported Team Plugin for WordPress, specifically in versions up to and including 8.5. It allows authenticated users with editor-level access or higher to execute arbitrary SQL queries against the database.
How does the SQL Injection work in this vulnerability?
Mechanics of exploitation
The vulnerability arises from insufficient escaping of user-supplied parameters in SQL queries. An attacker can manipulate input parameters to include SQL injection payloads, allowing them to extract sensitive information from the WordPress database.
Who is affected by this vulnerability?
Identifying impacted users
Users of the Team Members – Multi Language Supported Team Plugin for WordPress who are running version 8.5 or earlier are affected. Additionally, only authenticated users with editor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Team Members – Multi Language Supported Team Plugin installed on your WordPress site. If it is version 8.5 or earlier, your site is at risk.
What should I do to fix this vulnerability?
Updating the plugin
The vulnerability has been patched in version 8.6 of the plugin. To mitigate the issue, you should update the Team Members – Multi Language Supported Team Plugin to version 8.6 or later as soon as possible.
What is the risk level of this vulnerability?
Understanding CVSS score
CVE-2025-68060 has a CVSS score of 4.9, categorized as Medium severity. This indicates that while the vulnerability can lead to data exfiltration, it requires authenticated access, limiting the overall risk to sites.
What kind of data could be exposed through this vulnerability?
Potential data leakage
Successful exploitation of this vulnerability could allow attackers to access sensitive data such as usernames, password hashes from the wp_users table, user meta information, and potentially other database content.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept for this vulnerability typically involves sending a crafted request to a vulnerable AJAX action or shortcode handler, manipulating parameters to include SQL injection payloads. This demonstrates how the vulnerability allows attackers to execute arbitrary SQL against the database.
What are prepared statements, and why are they important?
Preventing SQL Injection
Prepared statements are a way to execute SQL queries where the parameters are bound separately from the query itself. This prevents SQL injection by ensuring that user input is treated as data, not executable code, which is crucial for securing database interactions.
Can this vulnerability lead to a complete site takeover?
Assessing the impact
While CVE-2025-68060 allows for data extraction, the requirement for authenticated access means that it does not directly enable complete site takeover. However, it can lead to privilege escalation and sensitive data exposure.
What is the significance of the code diff in the patch?
Understanding the fix
The code diff from version 8.5 to 8.6 indicates that the plugin’s version was updated, but the actual fix likely involves changes in how SQL queries are constructed in other files. The patch should implement proper input validation and escaping to prevent SQL injection.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary measures
If you cannot update the plugin immediately, consider restricting access to the WordPress admin area, limiting editor-level access, and monitoring for unusual database activity as temporary mitigation measures.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations