cleantalk
Vulnerabilities and Security Researches

Staff Directory – Employee Directory for WordPress, CVE-2025-8295

CVE, Research URL

CVE-2025-8295

Home page URL

Security reports for Staff Directory – Employee Directory for WordPress

Application

Staff Directory – Employee Directory for WordPress

Published on
Aug 05, 2025
Research Description
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 4.5.2.
Status
vulnerable
Previous vulnerability researches
Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More (CVE-2024-34770) , Jun 07, 2024
New vulnerability
Gutenverse – Gutenberg Blocks – Page Builder for Site Editor (CVE-2025-7727) , Aug 07, 2025
Flex Guten – A Multipurpose Gutenberg Blocks Plugin (CVE-2025-6256) , Aug 07, 2025
Simple File List (CVE-2025-54021) , Aug 07, 2025
Newsletters (CVE-2025-54034) , Aug 07, 2025
FileBird – WordPress Media Library Folders & File Manager (CVE-2025-6986) , Aug 07, 2025