WP-Safety

Team – Team Members Showcase Plugin Security & Risk Analysis

wordpress.org/plugins/tlp-team

WordPress team plugin to showcase team members with grid, slider, and filterable layouts. Fully compatible with Elementor & Gutenberg.

10K active installs v5.0.15 PHP 7.4+ WP 5.0+ Updated Mar 9, 2026
teamteam-membersteam-pluginteam-showcaseteam-slider
90
A · Safe
CVEs total5
Unpatched0
Last CVEDec 15, 2025
Plugin page Download
Safety Verdict

Is Team – Team Members Showcase Plugin Safe to Use in 2026?

Generally Safe

Score 90/100

Team – Team Members Showcase Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Dec 15, 2025Updated 25d ago
Risk Assessment

The "tlp-team" v5.0.15 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices in several areas. The plugin exclusively uses prepared statements for SQL queries, has a very high percentage of properly escaped outputs, and implements a significant number of nonce and capability checks. The absence of critical or high severity taint analysis findings is also a positive indicator. However, notable concerns arise from the attack surface. The plugin exposes 23 entry points, with 2 of these AJAX handlers lacking authentication checks, representing a direct pathway for unauthorized actions if these handlers are exploitable. The vulnerability history is a significant area of concern. While there are no currently unpatched CVEs, the plugin has a history of 5 known vulnerabilities, including 2 high severity ones (SQL Injection and Missing Authorization) and 3 medium severity ones (XSS and Path Traversal). This pattern suggests a recurring tendency for certain types of vulnerabilities, which, despite being patched, indicates potential underlying architectural weaknesses or insufficient security review processes. The presence of the "unserialize" dangerous function is also a potential risk, as improper handling of unserialized data can lead to various vulnerabilities. Overall, while some secure coding practices are in place, the significant attack surface with unprotected entry points and a history of critical vulnerability types necessitate careful attention and ongoing vigilance.

Key Concerns

  • Unprotected AJAX handlers
  • History of 2 high severity CVEs
  • History of 3 medium severity CVEs
  • Use of dangerous function: unserialize
  • Bundled library: Select2 (potential for outdated version)
Vulnerabilities
5

Team – Team Members Showcase Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
3

5 total CVEs

CVE-2025-14124high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Team <= 5.0.10 - Unauthenticated SQL Injection

Dec 15, 2025 Patched in 5.0.11 (30d)
CVE-2025-57975medium · 5.4Missing Authorization

Team <= 5.0.6 - Missing Authorization

Sep 22, 2025 Patched in 5.0.7 (11d)
CVE-2024-13439medium · 4.3Missing Authorization

Team – Team Members Showcase Plugin <= 4.4.9 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Feb 14, 2025 Patched in 5.0.0 (1d)
CVE-2024-9236medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Team – Team Members Showcase Plugin <= 4.4.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Oct 3, 2024 Patched in 4.4.2 (240d)
CVE-2022-2557high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Team - WordPress Team Member Showcase Plugin <= 4.1.1 - Directory Traversal to Arbitrary File Read/Deletion

Jul 29, 2022 Patched in 4.1.2 (543d)
Code Analysis
Analyzed Mar 16, 2026

Team – Team Members Showcase Plugin Code Analysis

Dangerous Functions
45
Raw SQL Queries
0
6 prepared
Unescaped Output
21
952 escaped
Nonce Checks
21
Capability Checks
26
File Operations
3
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$arg['tlp_skill'] = $skill ? unserialize( $skill ) : [];app\Controllers\Admin\Ajax\Preview.php:697
unserialize$customImgSize = ! empty( $meta_value ['ttp_custom_image_size'][0] ) ? unserialize( $meta_value ['ttapp\Controllers\Admin\Ajax\Preview.php:818
unserialize$allCol = ! empty( $scMeta['ttp_column'][0] ) ? unserialize( $scMeta['ttp_column'][0] ) : [];app\Controllers\Frontend\Ajax\LoadMore.php:71
unserialize$customImgSize = ( ! empty( $scMeta['ttp_custom_image_size'][0] ) ? unserialize( $scMeta['ttp_custapp\Controllers\Frontend\Ajax\LoadMore.php:91
unserialize$cOpt = isset( $scMeta['carousel'][0] ) ? unserialize( $scMeta['carousel'][0] ) : app\Controllers\Frontend\Ajax\LoadMore.php:187
unserialize$arg['tlp_skill'] = unserialize( get_post_meta( $mID, 'skill', true ) );app\Controllers\Frontend\Ajax\LoadMore.php:383
unserialize$tlp_skill = unserialize( get_post_meta( $post->ID, 'skill', true ) );app\Controllers\Frontend\Ajax\MultiPopup.php:68
unserialize$tlp_skill = $tlp_skill ? unserialize( $tlp_skill ) : [];app\Controllers\Frontend\Ajax\SinglePopup.php:68
unserialize$tlp_skill = unserialize( get_post_meta( $post->ID, 'skill', true ) );app\Controllers\Frontend\Ajax\SmartPopup.php:73
unserialize'allCol' => (!empty($meta['ttp_column'][0]) && is_string($meta['ttp_column'][0])) ? unseapp\Controllers\Frontend\Shortcode.php:747
unserialize'customImgSize' => (!empty($meta['ttp_custom_image_size'][0]) && is_string($meta['ttp_custom_imapp\Controllers\Frontend\Shortcode.php:779
unserialize$customImgSize = ! empty( $meta_value['ttp_custom_image_size'][0] ) ? unserialize( $meta_value['ttp_app\Controllers\Frontend\Shortcode.php:800
unserialize$hireme_btn = ! empty( $scMeta['hireme_btn_style'][0] ) ? unserialize( $scMeta['hireme_btn_styleapp\Helpers\Fns.php:1021
unserialize$resume_btn = ! empty( $scMeta['resume_btn_style'][0] ) ? unserialize( $scMeta['resume_btn_styleapp\Helpers\Fns.php:1022
unserialize$readmore_btn = ! empty( $scMeta['readmore_btn_style'][0] ) ? unserialize( $scMeta['readmore_btn_sapp\Helpers\Fns.php:1023
unserialize$button = ! empty( $scMeta['ttp_button_style'][0] ) ? unserialize( $scMeta['ttp_button_styleapp\Helpers\Fns.php:1024
unserialize$name = ! empty( $scMeta['name'][0] ) ? unserialize( $scMeta['name'][0] ) : null;app\Helpers\Fns.php:1026
unserialize$designation = ! empty( $scMeta['designation'][0] ) ? unserialize( $scMeta['designation'][0] ) : app\Helpers\Fns.php:1027
unserialize$short_bio = ! empty( $scMeta['short_bio'][0] ) ? unserialize( $scMeta['short_bio'][0] ) : nullapp\Helpers\Fns.php:1028
unserialize$email = ! empty( $scMeta['email'][0] ) ? unserialize( $scMeta['email'][0] ) : null;app\Helpers\Fns.php:1029
unserialize$web_url = ! empty( $scMeta['web_url'][0] ) ? unserialize( $scMeta['web_url'][0] ) : null;app\Helpers\Fns.php:1030
unserialize$telephone = ! empty( $scMeta['telephone'][0] ) ? unserialize( $scMeta['telephone'][0] ) : nullapp\Helpers\Fns.php:1031
unserialize$mobile = ! empty( $scMeta['mobile'][0] ) ? unserialize( $scMeta['mobile'][0] ) : null;app\Helpers\Fns.php:1032
unserialize$fax = ! empty( $scMeta['fax'][0] ) ? unserialize( $scMeta['fax'][0] ) : null;app\Helpers\Fns.php:1033
unserialize$location = ! empty( $scMeta['location'][0] ) ? unserialize( $scMeta['location'][0] ) : null;app\Helpers\Fns.php:1034
unserialize$skill = ! empty( $scMeta['skill'][0] ) ? unserialize( $scMeta['skill'][0] ) : null;app\Helpers\Fns.php:1035
unserialize$social_icon = ! empty( $scMeta['social'][0] ) ? unserialize( $scMeta['social'][0] ) : null;app\Helpers\Fns.php:1036
unserialize$mObg = ! empty( $scMeta['overlay_rgba_bg'][0] ) ? unserialize( $scMeta['overlay_rgba_bg']app\Helpers\Fns.php:1039
unserialize$resume_btn = ! empty( $scMeta['ttp_resume_btn_style'][0] ) ? unserialize( $scMeta['ttp_resume_btemplates\sc-css.php:23
unserialize$hireme_btn = ! empty( $scMeta['ttp_hireme_btn_style'][0] ) ? unserialize( $scMeta['ttp_hireme_btemplates\sc-css.php:24
unserialize$readmore_btn = ! empty( $scMeta['ttp_readmore_btn_style'][0] ) ? unserialize( $scMeta['ttp_readmotemplates\sc-css.php:25
unserialize$button = ! empty( $scMeta['ttp_button_style'][0] ) ? unserialize( $scMeta['ttp_button_styletemplates\sc-css.php:26
unserialize$name = ! empty( $scMeta['name'][0] ) ? unserialize( $scMeta['name'][0] ) : null;templates\sc-css.php:29
unserialize$designation = ! empty( $scMeta['designation'][0] ) ? unserialize( $scMeta['designation'][0] ) : templates\sc-css.php:30
unserialize$short_bio = ! empty( $scMeta['short_bio'][0] ) ? unserialize( $scMeta['short_bio'][0] ) : nulltemplates\sc-css.php:31
unserialize$email = ! empty( $scMeta['email'][0] ) ? unserialize( $scMeta['email'][0] ) : null;templates\sc-css.php:32
unserialize$web_url = ! empty( $scMeta['web_url'][0] ) ? unserialize( $scMeta['web_url'][0] ) : null;templates\sc-css.php:33
unserialize$telephone = ! empty( $scMeta['telephone'][0] ) ? unserialize( $scMeta['telephone'][0] ) : nulltemplates\sc-css.php:34
unserialize$mobile = ! empty( $scMeta['mobile'][0] ) ? unserialize( $scMeta['mobile'][0] ) : null;templates\sc-css.php:35
unserialize$fax = ! empty( $scMeta['fax'][0] ) ? unserialize( $scMeta['fax'][0] ) : null;templates\sc-css.php:36
unserialize$location = ! empty( $scMeta['location'][0] ) ? unserialize( $scMeta['location'][0] ) : null;templates\sc-css.php:37
unserialize$skill = ! empty( $scMeta['skill'][0] ) ? unserialize( $scMeta['skill'][0] ) : null;templates\sc-css.php:38
unserialize$social_icon = ! empty( $scMeta['social'][0] ) ? unserialize( $scMeta['social'][0] ) : null;templates\sc-css.php:39
unserialize$mObg = ! empty( $scMeta['overlay_rgba_bg'][0] ) ? unserialize( $scMeta['overlay_rgba_bg']templates\sc-css.php:42
unserialize$tlp_skill = $tlpSkill ? unserialize( $tlpSkill ) : [];templates\single-team.php:49

Bundled Libraries

Select2

SQL Query Safety

100% prepared6 total queries

Output Escaping

98% escaped973 total outputs
Data Flows
All sanitized

Data Flow Analysis

7 flows
<Review> (app\Controllers\Admin\Notices\Review.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Team – Team Members Showcase Plugin Attack Surface

Entry Points23
Unprotected2

AJAX Handlers 22

authwp_ajax_ttpDefaultFilterItemapp\Controllers\Admin\Ajax\DefaultFilter.php:29
authwp_ajax_tlpTeamPreviewAjaxCallapp\Controllers\Admin\Ajax\Preview.php:30
authwp_ajax_tlp_team_profile_img_removeapp\Controllers\Admin\Ajax\ProfileImage.php:29
authwp_ajax_tlpTeamSettingsapp\Controllers\Admin\Ajax\Settings.php:30
authwp_ajax_teamShortcodeListapp\Controllers\Admin\Ajax\Shortcode.php:29
authwp_ajax_tlpTeamSkillInputapp\Controllers\Admin\Ajax\Skill.php:29
authwp_ajax_tlpTeamSocialInputapp\Controllers\Admin\Ajax\Social.php:30
authwp_ajax_rtteam_dismiss_admin_noticeapp\Controllers\Admin\Notices\BlackFriday.php:151
authwp_ajax_rtteam_shortcodedismiss_admin_noticeapp\Controllers\Admin\Notices\Update.php:111
authwp_ajax_tlp-team-update-menu-orderapp\Controllers\Admin\TaxSorting.php:45
authwp_ajax_ttp-term-update-orderapp\Controllers\Admin\TaxSorting.php:46
authwp_ajax_ttp-get-term-listapp\Controllers\Admin\TaxSorting.php:47
authwp_ajax_ttp_Layout_Ajax_Actionapp\Controllers\Frontend\Ajax\LoadMore.php:31
noprivwp_ajax_ttp_Layout_Ajax_Actionapp\Controllers\Frontend\Ajax\LoadMore.php:32
authwp_ajax_tlp_multi_popup_singleapp\Controllers\Frontend\Ajax\MultiPopup.php:29
noprivwp_ajax_tlp_multi_popup_singleapp\Controllers\Frontend\Ajax\MultiPopup.php:30
authwp_ajax_tlp_md_popup_singleapp\Controllers\Frontend\Ajax\SinglePopup.php:29
noprivwp_ajax_tlp_md_popup_singleapp\Controllers\Frontend\Ajax\SinglePopup.php:30
authwp_ajax_tlp_team_smart_popupapp\Controllers\Frontend\Ajax\SmartPopup.php:29
noprivwp_ajax_tlp_team_smart_popupapp\Controllers\Frontend\Ajax\SmartPopup.php:30
authwp_ajax_rtGetSpecialLayoutDataapp\Controllers\Frontend\Ajax\SpecialLayout.php:29
noprivwp_ajax_rtGetSpecialLayoutDataapp\Controllers\Frontend\Ajax\SpecialLayout.php:30

Shortcodes 1

[tlpteam] app\Controllers\Frontend\Shortcode.php:38
WordPress Hooks 59
actionpre_get_postsapp\Abstracts\ElementorWidget.php:333
filtermanage_edit-team_columnsapp\Controllers\Admin\AdminColumns.php:27
actionmanage_team_posts_custom_columnapp\Controllers\Admin\AdminColumns.php:28
filtermanage_edit-team-sc_columnsapp\Controllers\Admin\AdminColumns.php:29
actionmanage_team-sc_posts_custom_columnapp\Controllers\Admin\AdminColumns.php:30
filtermanage_edit-team_sortable_columnsapp\Controllers\Admin\AdminColumns.php:31
actionadd_meta_boxesapp\Controllers\Admin\Metabox\PostMeta.php:30
actionadmin_enqueue_scriptsapp\Controllers\Admin\Metabox\PostMeta.php:31
actionsave_postapp\Controllers\Admin\Metabox\PostMeta.php:42
actionadd_meta_boxesapp\Controllers\Admin\Metabox\ShortcodeMeta.php:32
actionadmin_enqueue_scriptsapp\Controllers\Admin\Metabox\ShortcodeMeta.php:33
actionsave_postapp\Controllers\Admin\Metabox\ShortcodeMeta.php:34
actionedit_form_after_titleapp\Controllers\Admin\Metabox\ShortcodeMeta.php:35
actionadmin_initapp\Controllers\Admin\Metabox\ShortcodeMeta.php:36
actionbefore_delete_postapp\Controllers\Admin\Metabox\ShortcodeMeta.php:37
actionadmin_footerapp\Controllers\Admin\Metabox\ShortcodeMeta.php:49
filterget_user_option_meta-box-order_{rttlp_team()->shortCodePT}app\Controllers\Admin\Metabox\ShortcodeMeta.php:106
actionadmin_initapp\Controllers\Admin\Notices\BlackFriday.php:31
actionadmin_enqueue_scriptsapp\Controllers\Admin\Notices\BlackFriday.php:59
actionadmin_noticesapp\Controllers\Admin\Notices\BlackFriday.php:66
actionadmin_footerapp\Controllers\Admin\Notices\BlackFriday.php:126
actionadmin_initapp\Controllers\Admin\Notices\Review.php:27
actionadmin_initapp\Controllers\Admin\Notices\Review.php:28
actionadmin_noticesapp\Controllers\Admin\Notices\Review.php:53
actionadmin_noticesapp\Controllers\Admin\Notices\Review.php:55
actionadmin_initapp\Controllers\Admin\Notices\Update.php:27
actionadmin_noticesapp\Controllers\Admin\Notices\Update.php:46
actionadmin_enqueue_scriptsapp\Controllers\Admin\Notices\Update.php:76
actionadmin_footerapp\Controllers\Admin\Notices\Update.php:83
actioninitapp\Controllers\Admin\Settings.php:29
actionplugins_loadedapp\Controllers\Admin\Settings.php:30
actionadmin_menuapp\Controllers\Admin\Settings.php:31
actionin_admin_headerapp\Controllers\Admin\Settings.php:131
actionadmin_headapp\Controllers\Admin\ShortcodeGenerator.php:33
filtermce_external_pluginsapp\Controllers\Admin\ShortcodeGenerator.php:50
filtermce_buttonsapp\Controllers\Admin\ShortcodeGenerator.php:51
actionadmin_initapp\Controllers\Admin\TaxSorting.php:31
actionpre_get_postsapp\Controllers\Admin\TaxSorting.php:44
filterposts_whereapp\Controllers\Frontend\Ajax\LoadMore.php:232
filterposts_groupbyapp\Controllers\Frontend\Ajax\LoadMore.php:234
actionwp_headapp\Controllers\Frontend\CustomCSS.php:29
actionelementor/widgets/registerapp\Controllers\Frontend\ElementorAddons.php:30
actionelementor/controls/registerapp\Controllers\Frontend\ElementorAddons.php:33
actionelementor/elements/categories_registeredapp\Controllers\Frontend\ElementorAddons.php:34
actionelementor/editor/after_enqueue_scriptsapp\Controllers\Frontend\ElementorAddons.php:35
actionwp_footerapp\Controllers\Frontend\Shortcode.php:739
filtertemplate_includeapp\Controllers\Frontend\Template.php:30
actionwp_enqueue_scriptsapp\Controllers\Frontend\Template.php:31
actionenqueue_block_assetsapp\Controllers\GutenbergController.php:30
actionenqueue_block_editor_assetsapp\Controllers\GutenbergController.php:31
actionwp_enqueue_scriptsapp\Controllers\ScriptsController.php:76
actionwidgets_initapp\Controllers\WidgetsController.php:29
filterimage_resize_dimensionsapp\Models\ReSizer.php:63
actionwp_footerapp\Widgets\Elementor\Render\GridView.php:199
actionwp_footerapp\Widgets\Elementor\Render\IsotopeView.php:149
actionwp_footerapp\Widgets\Elementor\Render\SliderView.php:146
actionwp_footerapp\Widgets\TeamCarousel.php:132
actionwp_footerapp\Widgets\TeamCarousel.php:133
actioninitapp\Widgets\Vc\VcAddon.php:27
Maintenance & Trust

Team – Team Members Showcase Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version7.4
Downloads510K

Community Trust

Rating90/100
Number of ratings67
Active installs10K
Alternatives

Team – Team Members Showcase Plugin Alternatives

Team Members Showcase

Team Members Showcase

wps-team

A
95

WordPress Team Members Showcase plugin – display staff or team profiles in grids, sliders, tables, or lists with filters, popups, drawers & panels.

4K 3 CVEs
Team Members – Multi Language Supported Team Plugin

Team Members – Multi Language Supported Team Plugin

team-showcase-supreme

A
98

Multi-language supported Team Members - Team with Slide is the best plugins to display unlimited team in Carouse and Grid view.

7K 2 CVEs
Responsive Team Members Showcase, Team Grid, Team Slider, and Staff List – SmartTeam (formerly WP Team)

Responsive Team Members Showcase, Team Grid, Team Slider, and Staff List – SmartTeam (formerly WP Team)

team-free

A
100

A WordPress plugin to display team members in Carousel, Grid, or List layouts. Customizable.

5K No CVEs
Dynamic Team Manager – Team Member Showcase with grid, slider, table Elementor widget & shortcode

Dynamic Team Manager – Team Member Showcase with grid, slider, table Elementor widget & shortcode

wp-team-manager

C
69

Team plugin to showcase team members, sports rosters, or creative portfolios with grid, list, Slider, table layout. Supports Corporate and Sports Leag &hellip;

1K 1 unpatched
Ultimate Team Showcase – Advanced WordPress Team Members Plugin

Ultimate Team Showcase – Advanced WordPress Team Members Plugin

ultimate-team-showcase

A
100

The ultimate team member WordPress plugin for showing team members profile in grid, slider, Isotope, and lightbox layouts easily using by shortcodes.

20 No CVEs
Developer Profile

Team – Team Members Showcase Plugin Developer Profile

RadiusTheme

16 plugins · 213K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
104 days
View full developer profile
Detection Fingerprints

How We Detect Team – Team Members Showcase Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/tlp-team/assets/css/tlp-team-frontend.css/wp-content/plugins/tlp-team/assets/js/frontend/tlp-team-frontend.js
Script Paths
/wp-content/plugins/tlp-team/assets/js/admin/tlp-team-admin.js/wp-content/plugins/tlp-team/assets/js/admin/tlp-admin-taxonomy.js
Version Parameters
tlp-team/assets/css/tlp-team-frontend.css?ver=tlp-team/assets/js/frontend/tlp-team-frontend.js?ver=tlp-team/assets/js/admin/tlp-team-admin.js?ver=tlp-team/assets/js/admin/tlp-admin-taxonomy.js?ver=

HTML / DOM Fingerprints

CSS Classes
tlp-team-frontendtlp-team-member-wraptlp-team-isotope-filtertlp-team-member-imagetlp-team-member-infotlp-field-holdermember-field-holdersocialLink
HTML Comments
<!-- Team Member Info --><!-- Team Member Social Link --><!-- Add new -->
Data Attributes
data-idid="metaSocialHolder"id="addNewSocial"name="social
JS Globals
ttp
Shortcode Output
[tlp-team]
FAQ

Frequently Asked Questions about Team – Team Members Showcase Plugin