Description
The Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting from authenticated contributor access
Action: Patch
AI Analysis

Impact

The Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress contains a stored cross‑site scripting flaw triggered by the 'emd_mb_meta' shortcode attribute. Attackers with contributor‑level permissions can inject arbitrary JavaScript that is saved in the database and executed whenever any user loads a page containing the injected content. This enables session hijacking, defacement and malicious redirects, making the weakness a classic CWE‑79 input validation and output escaping failure.

Affected Systems

Any WordPress site that installs emarket‑design’s Campus Directory – Faculty, Staff & Student Directory Plugin with a version of 1.9.0 or earlier is affected. All such installations are susceptible regardless of site configuration or additional plugins.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating medium severity, and an EPSS score of less than 1%, showing a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is authenticated web application access with contributor or higher privileges; after upstream injection, the exploit becomes persistent and impacts all users who view the affected page.

Generated by OpenCVE AI on April 22, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version that removes the vulnerable shortcode (or any release above 1.9.0).
  • If an upgrade is not immediately possible, restrict the Contributor role on the site or remove the 'emd_mb_meta' shortcode to prevent further injections.
  • Deploy a Web Application Firewall rule or server‑side filter to detect and block malicious JavaScript payloads submitted via the shortcode until a patch is applied.
  • Continuously monitor site logs for unexpected script injections and review user accounts with elevated permissions for suspicious activity.

Generated by OpenCVE AI on April 22, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16820 The Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 04 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Jun 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Faculty Staff and Student Directory Plugin – Campus Directory <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:13.062Z

Reserved: 2025-06-03T14:57:17.755Z

Link: CVE-2025-5532

cve-icon Vulnrichment

Updated: 2025-06-04T13:47:23.453Z

cve-icon NVD

Status : Deferred

Published: 2025-06-04T04:15:59.263

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses