CVE-2025-8295: 
WordPress vulnerability analysis and mitigation

The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'noaccess_msg' parameter in versions up to and including 4.5.1. The vulnerability was discovered and disclosed on August 5, 2025, and has been assigned identifier CVE-2025-8295. The issue affects the WordPress Employee Directory plugin, which is used for creating staff and team directories (NVD).

The vulnerability stems from insufficient input sanitization and output escaping of the 'noaccess_msg' parameter. This security flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue has been classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

When exploited, this vulnerability allows authenticated attackers to inject malicious web scripts that execute whenever a user accesses an affected page. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser (NVD).

The vulnerability has been patched in version 4.5.2 of the Employee Directory plugin. Users are advised to update to this version immediately. The update includes fixes for the XSS vulnerability in the 'noaccess_msg' parameter along with other security improvements (WordPress Plugin).