CVE-2025-8440: 
WordPress vulnerability analysis and mitigation

The Team Members plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-8440) discovered in versions up to and including 5.3.5. The vulnerability was disclosed on September 26, 2025, and affects the first and last name fields of the plugin (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the first and last name fields of the Team Members plugin. It has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising the security of site visitors (NVD).

Website administrators should update the Team Members plugin to a version newer than 5.3.5 to address this vulnerability. The fix has been implemented in the plugin's source code to properly sanitize and escape the affected fields (WordPress Plugin).