CVE-2022-1568: 
WordPress vulnerability analysis and mitigation

The Team Members WordPress plugin before version 5.1.1 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1568. The vulnerability was discovered and disclosed on May 4, 2022, affecting the Team settings functionality of the plugin. This security issue specifically impacts installations where high-privilege users such as administrators are working with restricted unfiltered_html capabilities (WPScan).

The vulnerability stems from improper escaping of Team settings within the plugin. Specifically, the team_color field ("Main color" setting of a team) is affected and can be exploited through a specially crafted HTTP POST request to /wp-admin/post.php. The vulnerability has been assigned a CVSS v3 Base Score of 4.8 (Medium), with an Impact Score of 2.7 and Exploitability Score of 1.7. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), high privileges (PR:H), and user interaction (UI:R) (AttackerKB).

The vulnerability allows high-privilege users such as administrators to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. This could potentially lead to client-side code execution in the context of other users' browsers who access the affected areas of the WordPress installation (WPScan).

The vulnerability has been patched in version 5.1.1 of the Team Members plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).