WP-Safety

WP Team – WordPress Team Member Plugin Security & Risk Analysis

wordpress.org/plugins/ht-team-member

The WP Team Member is a elementor addons, visual composer addons, WordPress Default widgets and Ready Shortcode for WordPress.

600 active installs v1.1.8 PHP + WP 5.0+ Updated May 29, 2025
elementorteamteam-memberwidgetswp-team
98
A · Safe
CVEs total2
Unpatched0
Last CVEJun 5, 2025
Plugin page Download
Safety Verdict

Is WP Team – WordPress Team Member Plugin Safe to Use in 2026?

Generally Safe

Score 98/100

WP Team – WordPress Team Member Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jun 5, 2025Updated 10mo ago
Risk Assessment

The "ht-team-member" plugin version 1.1.8 presents a mixed security posture. While it demonstrates good practices such as 100% usage of prepared statements for SQL queries, a single nonce check, and two capability checks, there are significant areas of concern. The static analysis reveals the presence of a dangerous function, `create_function`, and a concerningly low percentage of properly escaped outputs (55%), suggesting potential for Cross-Site Scripting (XSS) vulnerabilities.

The vulnerability history further amplifies these concerns. The plugin has a history of two medium-severity CVEs, both related to Cross-Site Scripting. While currently unpatched vulnerabilities are zero, the recurring nature of XSS issues is a red flag. The lack of taint analysis data might indicate limited testing or complex code paths that are difficult to analyze automatically, but it doesn't negate the risks identified by other metrics.

Overall, while the plugin has some strong security foundations, the use of dangerous functions, insufficient output escaping, and past XSS vulnerabilities necessitate caution. The potential for XSS attacks, especially given the history, is the most prominent risk. A thorough manual code review is recommended to identify and remediate potential XSS vectors that may not have been caught by the static analysis.

Key Concerns

  • Presence of dangerous function create_function
  • Low percentage of properly escaped outputs
  • History of 2 medium severity CVEs (XSS)
Vulnerabilities
2

WP Team – WordPress Team Member Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-49309medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HT Team Member <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 5, 2025 Patched in 1.1.8 (7d)
CVE-2024-10223medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HT Team Member <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via htteamember Shortcode

Oct 29, 2024 Patched in 1.1.5 (1d)
Code Analysis
Analyzed Mar 16, 2026

WP Team – WordPress Team Member Plugin Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
116
140 escaped
Nonce Checks
1
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_function$callback = create_function('', 'echo "' . str_replace( '"', '\"', $section['desc'] ) . '";');admin\include\class.settings-api.php:105

Output Escaping

55% escaped256 total outputs
Attack Surface

WP Team – WordPress Team Member Plugin Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[htteamember] include\shortcode.php:323
WordPress Hooks 18
actionadmin_enqueue_scriptsadmin\admin-init.php:8
actioninitadmin\classes\Custom_post_type.php:8
actionadmin_initadmin\include\admin-setting.php:16
actionadmin_menuadmin\include\admin-setting.php:17
actionadmin_menuadmin\include\admin-setting.php:18
actionwsa_form_bottom_htteam_shortcodeopt_tabsadmin\include\admin-setting.php:19
actioninitadmin\include\admin-setting.php:20
actionadmin_enqueue_scriptsadmin\include\class.settings-api.php:28
actionadmin_initadmin\include\Custom_meta_fields.php:3
actionsave_postadmin\include\Custom_meta_fields.php:107
actionadmin_menuadmin\include\Recommended_Plugins.php:78
actionadmin_enqueue_scriptsadmin\include\Recommended_Plugins.php:79
actionelementor/widgets/widgets_registeredht-team-member.php:33
actionwp_enqueue_scriptsht-team-member.php:58
filtertemplate_includeht-team-member.php:73
actionload-widgets.phpinclude\default_widgets.php:8
actionwidgets_initinclude\default_widgets.php:302
actioninitinclude\vc_map.php:430
Maintenance & Trust

WP Team – WordPress Team Member Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMay 29, 2025
PHP min version
Downloads19K

Community Trust

Rating86/100
Number of ratings3
Active installs600
Alternatives

WP Team – WordPress Team Member Plugin Alternatives

SwiftAddons for Elementor

SwiftAddons for Elementor

swiftaddons-for-elementor

A
100

Lightweight Elementor addon pack with Info Box, Team Member, and Testimonial widgets.

0 No CVEs
Our Team Widget for Elementor

Our Team Widget for Elementor

our-team-widget-for-elementor

A
100

Our Team Widget for Elementor helps you showcase team member detail in a unique style.

300 No CVEs
Team Members for Elementor Page Builder

Team Members for Elementor Page Builder

team-members-for-elementor

C
64

Team members is an addon for Elementor page builder. Using the extension you can show team members of your organization or an agency in a multi-column &hellip;

100 1 unpatched
Unicon extensions

Unicon extensions

unicon-extensions

A
85

support for special content types in your website, such as a service Block, client, and team member.

70 No CVEs
Promote extensions

Promote extensions

promote-extensions

A
85

support for special content types in your website, such as a service Block, client, and team member,counter.

60 No CVEs
Developer Profile

WP Team – WordPress Team Member Plugin Developer Profile

HT Plugins

23 plugins · 64K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
124 days
View full developer profile
Detection Fingerprints

How We Detect WP Team – WordPress Team Member Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ht-team-member/assests/css/ht-teammember.css/wp-content/plugins/ht-team-member/assests/css/font-awesome.min.css/wp-content/plugins/ht-team-member/assests/css/slick.min.css/wp-content/plugins/ht-team-member/assests/js/slick.min.js/wp-content/plugins/ht-team-member/assests/js/ht-teammin.js/wp-content/plugins/ht-team-member/admin/assets/css/admin_optionspanel.css
Script Paths
/wp-content/plugins/ht-team-member/assests/js/slick.min.js/wp-content/plugins/ht-team-member/assests/js/ht-teammin.js
Version Parameters
ht-team-member/assests/css/ht-teammember.css?ver=ht-team-member/assests/css/font-awesome.min.css?ver=ht-team-member/assests/css/slick.min.css?ver=ht-team-member/assests/js/slick.min.js?ver=ht-team-member/assests/js/ht-teammin.js?ver=ht-team-member/admin/assets/css/admin_optionspanel.css?ver=

HTML / DOM Fingerprints

CSS Classes
ht-team-member-wrap
Data Attributes
data-member-id
JS Globals
htteammember_admin_url
Shortcode Output
[ht_team_member id=[ht_team_member]
FAQ

Frequently Asked Questions about WP Team – WordPress Team Member Plugin