CVE-2025-8313

Vulnerability

Overview The Campus Directory plugin for WordPress, in all versions up to and including 1.9.1, is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on the ‘noaccess_msg’ parameter [1]. This parameter is present in the form builder functionality, specifically in the file emd-form-builder-lite/emd-form-frontend.php. The lack of proper escaping allows arbitrary web scripts to be stored and executed.

Exploitation

Conditions The vulnerability can be exploited by authenticated users with at least Contributor-level access. The attacker injects malicious JavaScript or HTML into the ‘noaccess_msg’ field. When an administrator or other user visits a page containing the injected form, the script executes in their browser context, leading to potential session hijacking or other client-side attacks.

Impact

Successful exploitation enables the attacker to inject arbitrary web scripts that execute whenever a user accesses the affected page. This can lead to data theft, defacement, or further compromise within the WordPress site.

Mitigation

The vendor has not released a patched version as of the publication date. Users should consider removing or replacing the plugin, or applying a workaround such as disabling the plugin's form builder features until a fix is available.