Description
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS that allows authenticated users to inject scripts executed on page view
Action: Apply Patch
AI Analysis

Impact

The Employee Directory plugin for WordPress is vulnerable to stored cross‑site scripting through an insufficiently sanitized and escaped ‘noaccess_msg’ parameter. This flaw permits authenticated users with Contributor level or higher to inject arbitrary JavaScript that will run whenever a page containing the injected message is accessed, potentially compromising the confidentiality, integrity, or availability of user sessions and information. The weakness is classified as CWE‑79.

Affected Systems

The vulnerability affects the Employee Directory – Staff & Team Directory plugin from emarket‑design, in all releases up to and including version 4.5.1. No precise sub‑version patch level is specified; upgrading beyond 4.5.1 is required to eliminate the issue.

Risk and Exploitability

With a CVSS score of 6.4 and an EPSS score of less than 1 %, the risk of exploitation is moderate to low, and the vulnerability is not currently listed in the CISA KEV catalog. Because the flaw requires authenticated access, an attacker would need to obtain or abuse Contributor‑level credentials to inject malicious code. Once injected, the script runs on any user who views the affected page, thereby providing an authenticated XSS vector that can be leveraged for session hijacking, credential theft, or defacement.

Generated by OpenCVE AI on April 21, 2026 at 03:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Employee Directory plugin to the latest version (4.5.2 or newer) to remove the unsanitized input handling
  • If an update is not immediately possible, trim or escape all content of the ‘noaccess_msg’ field before storing or rendering it
  • Reduce the scope of Contributor permissions by restricting the role’s access to the plugin’s configuration pages
  • Disable or remove the plugin entirely if it is not required for business operations

Generated by OpenCVE AI on April 21, 2026 at 03:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23605 The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 05 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Emarketdesign
Emarketdesign employee Directory
Wordpress
Wordpress wordpress
Vendors & Products Emarketdesign
Emarketdesign employee Directory
Wordpress
Wordpress wordpress

Tue, 05 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 Aug 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Employee Directory <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Emarketdesign Employee Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:19.630Z

Reserved: 2025-07-28T22:40:14.288Z

Link: CVE-2025-8295

cve-icon Vulnrichment

Updated: 2025-08-05T14:52:23.160Z

cve-icon NVD

Status : Deferred

Published: 2025-08-05T08:15:27.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:45:27Z

Weaknesses