Description
The Employee Directory – Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The Employee Directory – Staff & Team Directory WordPress plugin contains a stored XSS flaw in the 'emd_mb_meta' shortcode caused by insufficient input sanitization and output escaping. Authenticated users with contributor access or higher can inject arbitrary scripts that will run whenever any user views a page containing the shortcode. This enables attackers to steal credentials, deface content, or perform other malicious actions in the context of legitimate users.

Affected Systems

Vendor emarket‑design releases the Employee Directory – Staff & Team Directory plugin for WordPress. All versions up to and including 4.5.0 are vulnerable; newer releases are not affected according to the available data.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. An EPSS score of less than 1% suggests a low likelihood of exploitation, though the vulnerability is listed in a public advisory and not flagged in KEV. The flaw requires authenticated contributor‑level or higher access; once the attacker injects content, any user who visits the affected page will have the malicious script executed. The risk remains moderate to high in environments where contributor roles are widely available and content with the shortcode is common.

Generated by OpenCVE AI on April 22, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Employee Directory – Staff & Team Directory plugin to the latest version that includes an XSS fix
  • If an immediate upgrade is not possible, remove or disable the 'emd_mb_meta' shortcode from affected pages or disable the entire plugin until a fix is available
  • Implement or configure a web application firewall or security plugin to sanitize output and block the execution of injected scripts

Generated by OpenCVE AI on April 22, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16821 The Employee Directory – Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 04 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Jun 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Employee Directory – Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Staff Directory – Employee Directory for WordPress <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:46.710Z

Reserved: 2025-06-03T14:54:11.122Z

Link: CVE-2025-5531

cve-icon Vulnrichment

Updated: 2025-06-04T13:47:44.857Z

cve-icon NVD

Status : Deferred

Published: 2025-06-04T04:15:54.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses