WP-Safety

Team Members Showcase Security & Risk Analysis

wordpress.org/plugins/wps-team

WordPress Team Members Showcase plugin – display staff or team profiles in grids, sliders, tables, or lists with filters, popups, drawers & panels.

4K active installs v3.5.6 PHP 7.0+ WP 5.9+ Updated Dec 8, 2025
staff-directoryteam-membersteam-showcaseteam-sliderwordpress-team-plugin
95
A · Safe
CVEs total3
Unpatched0
Last CVEOct 22, 2025
Plugin page Download
Safety Verdict

Is Team Members Showcase Safe to Use in 2026?

Generally Safe

Score 95/100

Team Members Showcase has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Oct 22, 2025Updated 3mo ago
Risk Assessment

The 'wps-team' plugin v3.5.6 presents a mixed security posture, with several concerning findings despite some good practices.

The static analysis reveals a moderate attack surface with one unprotected AJAX handler, posing a direct risk for unauthorized actions. The presence of the `unserialize` function is a significant red flag, especially when combined with eight unsanitized taint flows, three of which are rated as high severity. While the majority of SQL queries use prepared statements and most output is properly escaped, these specific code signals, particularly the deserialization vulnerability potential and unsanitized inputs, indicate a substantial risk of code injection and data manipulation.

The plugin's vulnerability history shows a pattern of Cross-site Scripting and Deserialization vulnerabilities, with three past CVEs. Although there are currently no unpatched CVEs, the recurrence of these specific vulnerability types, especially deserialization, reinforces the concerns raised by the static analysis. The recent vulnerability in 2025 suggests that while patches may exist, the underlying code patterns prone to these issues persist. The plugin demonstrates good practices in using nonce and capability checks, and its SQL query preparedness is commendable, but the high number of unsanitized taint flows and the presence of `unserialize` overshadow these strengths. The bundled Freemius library also needs to be monitored for potential vulnerabilities. Overall, the plugin requires immediate attention due to the high-severity taint flows and the historical predisposition to deserialization and XSS issues.

Key Concerns

  • Unprotected AJAX handler
  • High severity taint flows (3)
  • Dangerous function: unserialize
  • Taint flows with unsanitized paths (8)
  • Vulnerability history: high severity CVE (1)
  • Vulnerability history: medium severity CVEs (2)
  • Bundled library: Freemius v1.0
Vulnerabilities
3

Team Members Showcase Security Vulnerabilities

CVEs by Year

3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2025-11560medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Team Members Showcase <= 3.4.0 - Reflected Cross-Site Scripting

Oct 22, 2025 Patched in 3.5.0 (27d)
CVE-2025-3521medium · 6.4Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 30, 2025 Patched in 3.4.2 (189d)
CVE-2025-32686high · 8.8Deserialization of Untrusted Data

Team Members <= 3.4.4 - Authenticated (Contributor+) PHP Object Injection

Apr 15, 2025 Patched in 3.4.5 (87d)
Code Analysis
Analyzed Mar 16, 2026

Team Members Showcase Code Analysis

Dangerous Functions
1
Raw SQL Queries
19
19 prepared
Unescaped Output
25
228 escaped
Nonce Checks
4
Capability Checks
10
File Operations
6
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserializereturn unserialize( $data );includes\utils.php:2612

Bundled Libraries

Freemius1.0

SQL Query Safety

50% prepared38 total queries

Output Escaping

90% escaped253 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

9 flows8 with unsanitized paths
<notifications> (includes\notifications\notifications.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Team Members Showcase Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_wps_team_notification_actionincludes\notifications\notifications.php:26

Shortcodes 1

[wpspeedo-team] includes\shortcode.php:10
WordPress Hooks 73
filterfs_is_submenu_visible_wps-teamfreemius.php:49
actionadmin_menuincludes\admin\admin.php:10
actionadmin_enqueue_scriptsincludes\admin\admin.php:11
actionadmin_enqueue_scriptsincludes\admin\admin.php:12
actiontemplate_redirectincludes\admin\admin.php:23
actionshow_admin_barincludes\admin\admin.php:35
filterwpspeedo_team/post_link_attrsincludes\compatibility.php:15
actionadmin_menuincludes\data.php:11
actionin_admin_headerincludes\data.php:12
actioninitincludes\data.php:16
actioninitincludes\data.php:20
actionadd_meta_boxesincludes\data.php:32
actionadmin_headincludes\data.php:40
actionadmin_initincludes\demo-import\demo-import.php:25
actionedit_form_before_permalinkincludes\editor\meta-box-editor.php:12
filterdefault_wp_template_part_areasincludes\hooks.php:11
actioninitincludes\hooks.php:12
actioninitincludes\hooks.php:13
filtertemplate_includeincludes\hooks.php:15
actioninitincludes\hooks.php:17
actionwpspeedo_team/before_single_teamincludes\hooks.php:18
actionwpspeedo_team/before_wrapper_innerincludes\hooks.php:19
actionwpspeedo_team/before_wrapper_innerincludes\hooks.php:20
actionwpspeedo_team/after_wrapper_innerincludes\hooks.php:21
actionwpspeedo_team/after_wrapper_innerincludes\hooks.php:22
actionwpspeedo_team/after_postsincludes\hooks.php:23
filterwpspeedo_team/query_paramsincludes\hooks.php:24
actiondivi_extensions_initincludes\integrations\divi\integration.php:13
actionet_builder_modules_loadedincludes\integrations\divi\integration.php:21
actionwp_enqueue_scriptsincludes\integrations\divi\integration.php:22
actionwp_headincludes\integrations\divi\integration.php:23
actionelementor/widgets/widgets_registeredincludes\integrations\elementor\integration.php:10
actionelementor/elements/categories_registeredincludes\integrations\elementor\integration.php:11
actionelementor/editor/after_enqueue_stylesincludes\integrations\elementor\integration.php:12
actionelementor/preview/enqueue_stylesincludes\integrations\elementor\integration.php:13
actionelementor/preview/enqueue_scriptsincludes\integrations\elementor\integration.php:14
actioninitincludes\integrations\gutenberg\integration.php:10
actionenqueue_block_editor_assetsincludes\integrations\gutenberg\integration.php:11
actionenqueue_block_assetsincludes\integrations\gutenberg\integration.php:12
actionvc_before_initincludes\integrations\wpbakery\integration.php:10
actionadmin_footerincludes\integrations\wpbakery\integration.php:11
actionvc_load_iframe_jscssincludes\integrations\wpbakery\integration.php:12
filterexcerpt_lengthincludes\loaders\shortcode-loader.php:326
actionwp_headincludes\managers\assets-manager.php:42
actionwp_headincludes\managers\assets-manager.php:43
actionwp_enqueue_scriptsincludes\managers\assets-manager.php:44
actionwp_footerincludes\managers\assets-manager.php:45
filterwidget_update_callbackincludes\managers\assets-manager.php:46
actionpost_updatedincludes\managers\assets-manager.php:47
actionupdate_option_sidebars_widgetsincludes\managers\assets-manager.php:48
actionwps_shortcode_createdincludes\managers\assets-manager.php:49
actionwps_shortcode_updatedincludes\managers\assets-manager.php:50
actionwps_shortcode_deletedincludes\managers\assets-manager.php:51
actionwps_preference_updateincludes\managers\assets-manager.php:52
actionwp_footerincludes\managers\assets-manager.php:252
actionwps_team_display_noticeincludes\notifications\notifications.php:23
actionwps_team_display_popupincludes\notifications\notifications.php:24
actionin_admin_headerincludes\notifications\notifications.php:27
actionadmin_noticesincludes\notifications\notifications.php:39
filterwpspeedo_team/controls/tabsincludes\plugin.php:93
filterwpspeedo_team/controls/default_tabincludes\plugin.php:96
filterwp_image_editorsincludes\thumbly.php:101
filterimage_resize_dimensionsincludes\thumbly.php:730
filterimage_downsizeincludes\thumbly.php:775
filterembed_oembed_htmlincludes\utils.php:1988
actionafter_setup_themeincludes\variables.php:12
actionadmin_noticesinitialize.php:11
actionadmin_noticesinitialize.php:14
actionplugins_loadedinitialize.php:16
actionplugins_loadedinitialize.php:17
actionplugins_loadedinitialize.php:18
actionplugins_loadedinitialize.php:19
actionadmin_headinitialize.php:20
Maintenance & Trust

Team Members Showcase Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 8, 2025
PHP min version7.0
Downloads87K

Community Trust

Rating98/100
Number of ratings20
Active installs4K
Alternatives

Team Members Showcase Alternatives

Team Members – Multi Language Supported Team Plugin

Team Members – Multi Language Supported Team Plugin

team-showcase-supreme

A
98

Multi-language supported Team Members - Team with Slide is the best plugins to display unlimited team in Carouse and Grid view.

7K 2 CVEs
Team – Team Members Showcase Plugin

Team – Team Members Showcase Plugin

tlp-team

A
90

WordPress team plugin to showcase team members with grid, slider, and filterable layouts. Fully compatible with Elementor & Gutenberg.

10K 5 CVEs
Responsive Team Members Showcase, Team Grid, Team Slider, and Staff List – SmartTeam (formerly WP Team)

Responsive Team Members Showcase, Team Grid, Team Slider, and Staff List – SmartTeam (formerly WP Team)

team-free

A
100

A WordPress plugin to display team members in Carousel, Grid, or List layouts. Customizable.

5K No CVEs
Dynamic Team Manager – Team Member Showcase with grid, slider, table Elementor widget & shortcode

Dynamic Team Manager – Team Member Showcase with grid, slider, table Elementor widget & shortcode

wp-team-manager

C
69

Team plugin to showcase team members, sports rosters, or creative portfolios with grid, list, Slider, table layout. Supports Corporate and Sports Leag &hellip;

1K 1 unpatched
Employee Spotlight – Team Member Showcase & Meet the Team Plugin

Employee Spotlight – Team Member Showcase & Meet the Team Plugin

employee-spotlight

A
95

Showcase your team with beautiful, responsive layouts: grid, carousel, cards, and more. Perfect for meet-the-team pages and employee highlights.

400 3 CVEs
Developer Profile

Team Members Showcase Developer Profile

WPSpeedo

1 plugin · 4K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
101 days
View full developer profile
Detection Fingerprints

How We Detect Team Members Showcase

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wps-team/assets/libs/fontawesome/css/all.min.css/wp-content/plugins/wps-team/admin/assets/css/style.min.css/wp-content/plugins/wps-team/admin/assets/js/script.min.js
Script Paths
/wp-content/plugins/wps-team/admin/assets/js/script.min.js
Version Parameters
wps-team/admin/assets/css/style.min.css?ver=wps-team/admin/assets/js/script.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpspeedo--plugin-wrapwpspeedo--team-members-wrapwpspeedo--app-containerwpspeedo--appgs-sm-sec-shortcode-preview--page
Data Attributes
data-noncedata-ajaxurldata-adminurldata-siteurldata-pluginurldata-version+9 more
JS Globals
WPS_TEAM_VERSIONWPS_TEAM_FILEWPS_TEAM_PATHWPS_TEAM_URLWPS_TEAM_INC_PATHWPS_TEAM_ADMIN_PATH+6 more
FAQ

Frequently Asked Questions about Team Members Showcase