CVE-2024-10223: 
WordPress vulnerability analysis and mitigation

The WP Team – WordPress Team Member Plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-10223) in versions up to and including 1.1.4. The vulnerability exists in the plugin's htteamember shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The issue was discovered and disclosed on October 30, 2024 (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and required privileges (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising user data and website security (NVD).

The vulnerability was addressed in version 1.1.5 of the WP Team plugin, released on October 29, 2024. Users are advised to update to this version or later to protect against this security issue (WordPress Plugin).