CVE-2025-8313: 
WordPress vulnerability analysis and mitigation

The Campus Directory plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.9.1. The vulnerability was discovered on August 4, 2025, and was assigned CVE-2025-8313. The issue affects the 'noaccess_msg' parameter due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It received a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability exists in the plugin's form handling functionality where the 'noaccess_msg' parameter is not properly sanitized before being displayed to users (NVD, WordPress Changelog).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

The vulnerability has been patched in version 1.9.2 of the Campus Directory plugin. Users are strongly advised to update to this version immediately. The fix includes proper sanitization and escaping of the 'noaccess_msg' parameter (WordPress Changelog).