Description
The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-11-27
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The StaffList plugin for WordPress allows authenticated attackers with administrator‑level privileges to inject arbitrary JavaScript via the admin settings page. Because the plugin fails to sanitize input and escape output, the injected script is stored and executed whenever any user views the affected page. The flaw only exists when the site is a multi‑site installation and the unfiltered_html filter is disabled, limiting the scope to a subset of WordPress configurations, but it still permits the delivery of malicious payloads to all site users.

Affected Systems

WordPress sites that install StaffList version 3.2.6 or earlier. Vulnerability appears only on multisite deployments where the unfiltered_html capability has been removed. Administrators or accounts with alphanumeric higher privileges can use the plugin’s settings page to inject scripts. Older or single‑site installations, or those with unfiltered_html enabled, are not affected.

Risk and Exploitability

The CVSS score of 4.4 reflects that the vulnerability is a moderate severity stored XSS that requires authenticated access and a specific site configuration. The EPSS score of < 1% indicates a very low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog, further suggesting limited exploitation activity. The attacker must be able to reach the Admin Settings interface to submit the payload, which reduces the attack surface. Nonetheless, because any authenticated user can exercise admin‑level privileges on a multisite platform, the potential impact of the delivered script could be widespread if an admin account is compromised.

Generated by OpenCVE AI on April 22, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the StaffList plugin to the latest available version, which removes the input handling error.
  • If an upgrade is not possible immediately, re‑enable the unfiltered_html filter or otherwise ensure that custom HTML content is not accepted from the plugin’s settings page.
  • Harden the WordPress configuration by limiting administrator accounts, applying the principle of least privilege, and monitoring the admin interface for suspicious input submissions.

Generated by OpenCVE AI on April 22, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Era404
Era404 stafflist
Wordpress
Wordpress wordpress
Vendors & Products Era404
Era404 stafflist
Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 05:30:00 +0000

Type Values Removed Values Added
Description The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title StaffList <= 3.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Era404 Stafflist
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:38.159Z

Reserved: 2025-10-24T19:43:22.226Z

Link: CVE-2025-12185

cve-icon Vulnrichment

Updated: 2025-12-03T16:47:09.814Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T06:15:46.487

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses