Staff Directory Plugin CVE-2025-25165
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Staff Directory Plugin: Company Directory allows Stored XSS. This issue affects Staff Directory Plugin: Company Directory: from n/a through 4.3.
AnalysisAI
Stored Cross-Site Scripting (XSS) in WordPress Staff Directory Plugin (Company Directory) versions up to 4.3 allows remote unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers. The CVSS 7.1 score reflects Changed scope (S:C), indicating the injected script can operate outside the vulnerable component's security context. EPSS probability is low (0.09%, 26th percentile) with no confirmed active exploitation. Patchstack database identifies this as a stored XSS variant, meaning the malicious payload persists in the WordPress database and triggers whenever affected pages are viewed.
Technical ContextAI
This vulnerability affects the WordPress Staff Directory Plugin (Company Directory) through version 4.3, identified by the slug 'staff-directory-pro' in the Patchstack references. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS variant where user-supplied input is not properly sanitized before storage and subsequent rendering in web pages. WordPress plugins handling directory or profile data often accept rich text inputs (staff biographies, contact information, job titles) which, without proper output encoding and HTML sanitization, can become injection vectors. The Changed scope (S:C) in the CVSS vector indicates the vulnerability allows script execution in a different security context than the vulnerable plugin itself, typically enabling attackers to perform actions as authenticated WordPress users who view the compromised staff directory entries.
Affected ProductsAI
WordPress Staff Directory Plugin (Company Directory), also referenced as 'staff-directory-pro', affects all versions from unknown starting point through version 4.3. The vulnerability was reported by Patchstack (audit@patchstack.com) and documented in their WordPress vulnerability database. Organizations running WordPress installations with this plugin at version 4.3 or earlier should verify their deployment. The exact starting version of the vulnerability range is not specified in available data. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/staff-directory-pro/vulnerability/wordpress-staff-directory-plugin-company-directory-plugin-4-3-cross-site-scripting-xss-vulnerability
RemediationAI
Upgrade Staff Directory Plugin (Company Directory) to version 4.4 or later if a patched release is available - the current advisory indicates version 4.3 as the last affected version, suggesting a fix in subsequent releases, though the exact patched version is not independently confirmed in the provided data. Consult the WordPress plugin repository or vendor directly for the latest secure version. As an immediate compensating control if patching is delayed, restrict administrative access to the WordPress staff directory management interface to only trusted administrators via IP allowlisting or additional authentication layers, limiting who can inject stored XSS payloads. Implement Content Security Policy (CSP) headers with 'script-src self' directive to prevent execution of inline scripts, though this may break legitimate plugin functionality and requires testing. For public-facing installations, disable any features that allow unauthenticated users to submit or modify staff directory entries. Verify the remediation by testing input fields with XSS payloads like <script>alert(document.domain)</script> after applying the patch. Reference Patchstack advisory at https://patchstack.com/database/wordpress/plugin/staff-directory-pro/ for vendor-specific guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today