Description
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting for unauthenticated users
Action: Immediate Patch
AI Analysis

Impact

The WordPress plugin Name Directory is vulnerable to stored Cross‑Site Scripting through the name_directory_name and name_directory_description parameters. Because input is not properly sanitized or escaped, attackers can inject malicious scripts that are stored and later executed whenever any user visits a page that displays the stored content. This elevates the attacker’s ability to steal session cookies, deface sites, or perform other client side attacks. The weakness corresponds to a classic insecure input handling flaw (CWE‑79).

Affected Systems

This flaw exists in all releases of the Name Directory plugin up to and including version 1.30.3. The affected product is the WordPress plugin known as Name Directory, provided by the vendor jeroenpeters1986. All installations of the plugin that have not been upgraded beyond 1.30.3 are vulnerable. There is no further version restriction listed beyond the cutoff.

Risk and Exploitability

The CVSS score of 7.2 indicates a moderate to high severity. The EPSS score is below 1 %, reflecting a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no documented active exploitation. Attackers would typically exploit the flaw by submitting malicious payloads via the vulnerable parameters, which are stored by the plugin and rendered in subsequent page loads. Because the attack does not require authentication, any user can exploit the flaw to inject scripts into the site’s public pages.

Generated by OpenCVE AI on April 21, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Name Directory to a release newer than 1.30.3 where the stored XSS issue is fixed.
  • If an upgrade cannot be performed immediately, deactivate or remove the plugin to eliminate the vulnerable code paths until a patch is applied.
  • While the plugin remains active, apply a web‑application firewall or security plugin rule that sanitizes the name_directory_name and name_directory_description fields, stripping JavaScript before saving or rendering the data.

Generated by OpenCVE AI on April 21, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Thu, 15 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Jeroenpeters1986
Jeroenpeters1986 name Directory
Wordpress
Wordpress wordpress
Vendors & Products Jeroenpeters1986
Jeroenpeters1986 name Directory
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Jeroenpeters1986 Name Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:29.731Z

Reserved: 2025-12-29T21:20:08.934Z

Link: CVE-2025-15283

cve-icon Vulnrichment

Updated: 2026-01-15T20:00:35.356Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:54.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15283

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses