CVE-2025-12185

The StaffList plugin for WordPress, version 3.2.6 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability within its admin settings. The root cause is insufficient input sanitization and output escaping of data processed by the plugin's administrative interface. This allows authenticated users with administrator-level permissions to inject arbitrary web scripts that are stored and later executed in the context of other users viewing the affected pages [1].

For exploitation, the attacker must have admin-level access to a WordPress installation. The attack vector is via the plugin settings, where the injected script is stored. The vulnerability is only exploitable on multi-site installations or stand-alone sites where the unfiltered_html capability has been disabled for administrators. This constraint is acknowledged in the official description [1].

Successful exploitation results in Stored XSS, meaning the injected script executes automatically for any user who accesses the tampered page. This can lead to session hijacking, redirection to malicious sites, or theft of sensitive information, all under the security context of the authenticated victim.

As of the publication date, a patched version has not been explicitly confirmed. The vendor's plugin page [1] lists version 3.2.6 as the latest; users are advised to update once a fix is released and consider applying input validation on admin settings as a temporary workaround. The vulnerability has a CVSS v3 base score of 4.4 (Medium).