WordPress Plugin Vulnerabilities

Name Directory < 1.25.5 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check when adding/editing names, and is also lacking sanitisation as well as escaping in some of the fields, which could allow attackers to make a logged in admin edit arbitrary names and put XSS payloads in them.

Proof of Concept

Affects Plugins

Plugin icon
name-directory
Fixed in 1.25.5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
b63ef0c9-3f2f-47cf-98ab-9e82b07b1c9d

Timeline

Publicly Published
2022-07-18 (about 3 years ago)
Added
2022-07-18 (about 3 years ago)
Last Updated
2022-07-18 (about 3 years ago)

Other

Published
Title
Published
2025-09-22
Title
ZoloBlocks < 2.3.13 - Contributor+ Stored XSS
Published
2025-07-03
Title
ProcessingJS for WordPress <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-20
Title
3D Photo Gallery <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2023-07-10
Title
Forminator < 1.24.4 - Reflected XSS
Published
2022-12-21
Title
WP Video Lightbox < 1.9.7 - Contributor+ Stored XSS