CVE-2025-68060

Team Members – Multi Language Supported Team Plugin <= 8.5 - Authenticated (Editor+) SQL Injection

mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
4.9
CVSS Score
4.9
CVSS Score
medium
Severity
8.6
Patched in
5d
Time to patch

Description

The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 8.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=8.5
PublishedMay 7, 2026
Last updatedMay 11, 2026
Affected pluginteam-showcase-supreme

What Changed in the Fix

Changes introduced in v8.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68060 ## 1. Vulnerability Summary The **Team Members – Multi Language Supported Team Plugin** (up to version 8.5) is vulnerable to an **authenticated SQL Injection** vulnerability. The flaw exists in the admin management interface where user-supplied paramete…

Show full research plan

Exploitation Research Plan - CVE-2025-68060

1. Vulnerability Summary

The Team Members – Multi Language Supported Team Plugin (up to version 8.5) is vulnerable to an authenticated SQL Injection vulnerability. The flaw exists in the admin management interface where user-supplied parameters (specifically IDs used to fetch or manage team members/categories) are concatenated directly into SQL queries without proper sanitization or the use of $wpdb->prepare(). This allows an attacker with Editor level permissions or higher to execute arbitrary SQL commands to extract sensitive data from the WordPress database.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin.php
  • Hook/Action: The vulnerability resides in the callback functions for the plugin's admin menu pages, specifically wpm_team_6310_team_member (Manage Members) or wpm_team_6310_category (Manage Category).
  • Vulnerable Parameter: id (or potentially cat_id).
  • Authentication: Required. An Editor user (or any user with the capability returned by wpm_6310_get_user_roles(), which typically defaults to edit_posts or manage_options) can trigger the exploit.
  • Preconditions: The plugin must be active. At least one team member or category should ideally exist to ensure the vulnerable code path executes a query against a valid record.

3. Code Flow

  1. Entry Point: An authenticated user with Editor privileges navigates to wp-admin/admin.php?page=team-showcase-supreme-team-member&id=[PAYLOAD].
  2. Hook Registration: index.php registers the menu page:
    add_submenu_page('team-showcase-supreme', 'Manage Members', 'Manage Members', $options, 'team-showcase-supreme-team-member', 'wpm_team_6310_team_member');
    
  3. Vulnerable Sink: The function wpm_team_6310_team_member (defined in an included file, likely settings/helper/functions.php or home.php) retrieves $_GET['id'].
  4. Execution: The unescaped id is used in a query such as:
    $wpdb->get_results("SELECT * FROM {$wpdb->prefix}wpm_6310_team_member WHERE id = " . $_GET['id']);
    
  5. Result: The SQL engine executes the injected payload, allowing for time-based or union-based data extraction.

4. Nonce Acquisition Strategy

Based on the analysis of index.php, the admin pages for "Manage Members" and "Manage Categories" do not appear to implement a mandatory nonce check for simple GET requests that display member details.

  • If the vulnerability is in the display/edit logic of the page, no nonce is required.
  • If the vulnerability is in an AJAX handler (e.g., wpm_6310_team_member_info), index.php shows that my_ajax_object is localized without a nonce:
    wp_localize_script('wpm-6310-ajax-script', 'my_ajax_object', array('ajax_url' => admin_url('admin-ajax.php')));
    
    This implies the AJAX handlers may also lack nonce verification, allowing direct exploitation via admin-ajax.php once authenticated.

5. Exploitation Strategy

We will use a time-based SQL injection to confirm the vulnerability and then a UNION-based approach to extract the administrator's password hash.

Step 1: Confirmation (Time-based)

Send a request as an Editor that triggers a 5-second delay.

  • Request Type: GET
  • URL: wp-admin/admin.php
  • Parameters:
    • page: team-showcase-supreme-team-member
    • id: 1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)

Step 2: Data Extraction (UNION-based)

  1. Find Column Count: Iterate ORDER BY X until an error occurs to determine the number of columns in the wpm_6310_team_member table.
  2. Extract Admin Hash:
    • Payload: 1 UNION SELECT 1,user_login,user_pass,4,5,6,7... FROM wp_users WHERE ID=1-- -
    • Note: Adjust the number of columns based on the results of the ORDER BY test.

6. Test Data Setup

  1. Role Creation: Create a user with the editor role.
  2. Plugin Setup: Activate the "Team Members – Multi Language Supported Team Plugin".
  3. Content Creation: Create at least one team member so the query returns a base result:
    wp post create --post_type=wpm_team --post_title="Test Member" --post_status=publish
    

7. Expected Results

  • Confirmation: The response for the SLEEP(5) payload should take approximately 5 seconds longer than a normal request.
  • Extraction: The response HTML should reflect the administrator's username and password hash (starting with $P$ or $wp$) in one of the fields usually occupied by member data (like Name or Designation).

8. Verification Steps

After the HTTP exploit, use WP-CLI to verify the accuracy of the extracted data:

# Get the actual admin hash to compare
wp user get 1 --field=user_pass

9. Alternative Approaches

If the Manage Members page is not directly vulnerable via GET, check the following endpoints using the same payload logic:

  1. Manage Category: wp-admin/admin.php?page=team-showcase-supreme-category&id=[SQLI]
  2. Manage Social Icons: wp-admin/admin.php?page=team-showcase-supreme-social-icon&id=[SQLI]
  3. AJAX Handler:
    • Endpoint: wp-admin/admin-ajax.php
    • Body: action=wpm_6310_team_member_info&member_id=1[SQLI] (Authenticated)
Research Findings
Static analysis — not yet PoC-verified

Summary

The Team Members – Multi Language Supported Team Plugin for WordPress (up to 8.5) is vulnerable to an authenticated SQL injection. This vulnerability occurs because the plugin concatenates user-supplied parameters like 'id' directly into SQL queries without proper sanitization or using prepared statements ($wpdb->prepare()), allowing users with Editor privileges or higher to execute arbitrary SQL commands.

Vulnerable Code

// index.php lines 39-42 (vulnerable page registrations)
add_submenu_page('team-showcase-supreme', 'Manage Members', 'Manage Members', $options, 'team-showcase-supreme-team-member', 'wpm_team_6310_team_member');
add_submenu_page('team-showcase-supreme', 'Manage Category', 'Manage Category', 'manage_options', 'team-showcase-supreme-category', 'wpm_team_6310_category');
add_submenu_page('team-showcase-supreme', 'Manage Social Icons', 'Manage Social Icons', $options, 'team-showcase-supreme-social-icon', 'wpm_team_6310_icon');

---

// Inferred vulnerable sink (referenced in research plan and plugin logic)
// Likely located in settings/helper/functions.php
$wpdb->get_results("SELECT * FROM {$wpdb->prefix}wpm_6310_team_member WHERE id = " . $_GET['id']);

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/team-showcase-supreme/8.5/index.php /home/deploy/wp-safety.org/data/plugin-versions/team-showcase-supreme/8.6/index.php
--- /home/deploy/wp-safety.org/data/plugin-versions/team-showcase-supreme/8.5/index.php	2025-12-08 14:54:34.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/team-showcase-supreme/8.6/index.php	2026-02-16 01:23:36.000000000 +0000
@@ -8,14 +8,14 @@
   Author URI: http://www.wpmart.org/
   Text Domain: team-showcase-supreme
   Domain Path: /languages
-  Version: 8.5
+  Version: 8.6
  */
 if (!defined('ABSPATH'))
    exit;   
 
 define('wpm_6310_plugin_url', plugin_dir_path(__FILE__));
 define('wpm_6310_plugin_dir_url', plugin_dir_url(__FILE__));
-define ('WPM_PLUGIN_CURRENT_VERSION', 8.5);
+define ('WPM_PLUGIN_CURRENT_VERSION', 8.6);
 define( 'WPM_6310_PLUGIN_LANGUAGE_PATH', dirname( plugin_basename( __FILE__ ) ) . '/languages' );
 
 add_shortcode('wpm_team_showcase', 'wpm_team_showcase_supreme_shortcode');

Exploit Outline

The exploit requires authentication as a user with Editor-level access or higher (specifically the permission returned by wpm_6310_get_user_roles()). The attacker navigates to the 'Manage Members' admin page (wp-admin/admin.php?page=team-showcase-supreme-team-member) and appends a malicious SQL payload to the 'id' GET parameter. Because the 'id' is not sanitized or escaped before being included in a SELECT query, the attacker can use time-based injection (using SLEEP) or UNION-based injection to extract data from the WordPress database, including administrative credentials and hashes.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.