CVE-2025-25165

Vulnerability

Description

The Staff Directory Plugin: Company Directory for WordPress, up to version 4.3, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables attackers to inject arbitrary HTML or JavaScript code that is stored on the server and executed in the browsers of visitors.

Exploitation

Prerequisites

Exploitation requires an authenticated user with at least Contributor-level privileges or higher, who can submit or edit content processed by the plugin. The attacker does not need direct access to the admin panel; a privileged user must perform an action such as clicking a crafted link or submitting a form to trigger the payload [1]. No special network position is required beyond normal web access.

Impact

Successful exploitation allows an attacker to execute malicious scripts in the context of any visitor's browser session. This can be used for session hijacking, phishing, redirecting users to malicious sites, injecting advertisements, or defacing the website [1]. The vulnerability is rated with a CVSS score of 7.1 (High) and is expected to be incorporated into mass-exploit campaigns targeting multiple WordPress sites.

Mitigation

The vendor has not released a patched version at the time of publication. As an immediate workaround, administrators should update the plugin once an official fix becomes available. Until then, deploying a virtual patch or Web Application Firewall (WAF) rule can block attack attempts [1]. For sites unable to update, restricting access to plugin-related pages or using a security plugin with XSS filtering is recommended.