CVE-2026-1279
Description
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_title' parameter in the search_employee_directory shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Employee Directory WordPress plugin (≤1.2.1) suffers from stored XSS in the search_employee_directory shortcode via the 'form_title' parameter, allowing authenticated contributors to inject arbitrary scripts.
Vulnerability
Overview
The Employee Directory plugin for WordPress, available from the official plugin repository [1], contains a stored cross-site scripting (XSS) vulnerability in all versions up to and including 1.2.1. The flaw resides in the search_employee_directory shortcode, where the form_title parameter is not properly sanitized or escaped before being rendered. This allows an authenticated attacker with at least Contributor-level access to inject arbitrary JavaScript or HTML into stored content.
Attack
Prerequisites and Exploitation
To exploit this vulnerability, an attacker must have a WordPress account with Contributor-level permissions or higher. The attacker inserts malicious code through the form_title parameter of the search_employee_directory shortcode. When an administrator or other user visits the page containing the affected shortcode, the injected script executes in their browser context. No additional user interaction beyond viewing the page is required.
Potential
Impact
Successful exploitation enables the attacker to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. Since the XSS is stored, the injected payload persists until manually removed, affecting all subsequent visitors to the compromised page. The CVSS v3 base score of 6.4 (Medium) reflects the authenticated requirement and the confidentiality and integrity impact.
Mitigation
Status
The vendor has not released a patched version beyond 1.2.1 at the time of disclosure. Affected users should consider temporarily disabling the plugin or restricting contributor access to sensitive shortcode parameters. Regular security reviews of uploaded content are recommended.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/employee-staff-directory/tags/1.2.1/handler/mo-empdir-search_handler.phpnvd
- plugins.trac.wordpress.org/browser/employee-staff-directory/trunk/handler/mo-empdir-search_handler.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/employee-staff-directorynvd
- www.wordfence.com/threat-intel/vulnerabilities/id/f0d3b54c-6244-4776-be3c-afe3a28a2b8anvd
News mentions
0No linked articles in our index yet.