cleantalk
Vulnerabilities and Security Researches

Staff Directory – Employee Directory for WordPress, CVE-2025-8295

CVE, Research URL

CVE-2025-8295

Home page URL

Security reports for Staff Directory – Employee Directory for WordPress

Application

Staff Directory – Employee Directory for WordPress

Published on
Aug 05, 2025
Research Description
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 4.5.2.
Status
vulnerable
Previous vulnerability researches
URL Shortener Plugin For WordPress (CVE-2025-28963) , Jul 05, 2025
URL Shortener Plugin For WordPress (CVE-2025-28959) , Jul 19, 2025
URL Shortener Plugin For WordPress (CVE-2025-28965) , Jul 19, 2025
URL Shortener Plugin For WordPress (CVE-2025-28961) , Jul 19, 2025
New vulnerability
Newsletters (CVE-2025-54034) , Aug 07, 2025
FileBird – WordPress Media Library Folders & File Manager (CVE-2025-6986) , Aug 07, 2025
HT Mega – Absolute Addons For Elementor (CVE-2025-54695) , Aug 07, 2025
DELUCKS SEO (CVE-2025-48165) , Aug 07, 2025
Gutenberg Blocks – PublishPress Blocks Gutenberg Editor Plugin (CVE-2025-48332) , Aug 06, 2025