Vulnerabilities and security researches foremployee-spotlight employee-spotlight

Nov 11, 2025

CVE, Research URL: CVE-2025-12090
Home page URL: Security reports for Team Member Showcase Staff List Plugin – Employee Spotlight
Application: Team Member Showcase Staff List Plugin – Employee Spotlight
Date: Nov 01, 2025
Research Description: The Employee Spotlight – Team Member Showcase & Meet the Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social URLs in all versions up to, and including, 5.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 5.1.3.
Status: vulnerable

Oct 11, 2025

CVE, Research URL: CVE-2025-58915
Home page URL: Security reports for Team Member Showcase Staff List Plugin – Employee Spotlight
Application: Team Member Showcase Staff List Plugin – Employee Spotlight
Date: Sep 23, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase youtube-showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.0.
Affected versions: max 5.1.1.
Status: vulnerable

Sep 01, 2025

CVE, Research URL: CVE-2025-53583
Home page URL: Security reports for Team Member Showcase Staff List Plugin – Employee Spotlight
Application: Team Member Showcase Staff List Plugin – Employee Spotlight
Date: Aug 28, 2025
Research Description: Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight allows Object Injection. This issue affects Employee Spotlight: from n/a through 5.1.1.
Affected versions: max 5.1.2.
Status: vulnerable