CVE-2025-12185
Published
CVSS v3
4.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
<p>A very light-weight plugin, designed to easily create and manage a staff directory on your WordPress theme. Admins can manage staff records by importing (from CSV) or editing records individually. Record columns may be reordered (or hidden). Directory is sortable by column header, paginated, searchable, and customizable (by subset of records or number of records per page) using simple shortcode attributes.</p>
<p><strong>Simple, Straight-Forward</strong></p>
<p>The plugin is very light-weight, but robust. It allows for the individual management of staff directory records, or append/replace using a simple CSV (comma-separated variables) document or Excel Spreadsheet.</p>
<ul>
<li>Update five standard fields for each staff record (last name, first name, department, email, phone number)</li>
<li>Import from CSV or XLS allows administrators to keep their staff directory maintained, either by appending new records, or replacing the entire directory with an updated list</li>
<li>Fields are not required (and may be left blank) for general department mailboxes or numbers</li>
<li>Updates are performed on-the-fly, so no lengthy reloads are necessary</li>
<li>Design is split into separate stylesheet for ease of theming</li>
<li>No edit links or popups, just make your changes in-line</li>
<li>Case-insensitive substring search, with highlighted matches on front end</li>
<li>Uses jQuery/AJAX for page handling, sorting & searching without pageload (either on type, on enter, or both)</li>
<li>Tipsy is incorporated for contact cards, to display additional information about each StaffList record</li>
<li>StaffList can be placed into content editor using the shortcode [stafflist]</li>
<li>Multiple StaffLists are supported in a single page and are customizable by shortcode attribute (e.g.: [stafflist subset=”department:marketing”])</li>
<li>Language is customizable for standard column labels and other messaging</li>
</ul>
<p><strong>StaffList Public Demo</strong></p>
<p>A demo of this plugin can be found on the developer’s site:<br />
<a href="http://www.era404.com/info/stafflist-demo/" title="StaffList (public demo on ERA404.com)" rel="nofollow ugc">http://www.era404.com/info/stafflist-demo/</a></p>
<p><strong>3rd Party Services</strong></p>
<p>Be advised about the 3rd Party libraries used by this plugin.</p>
<ul>
<li><strong>SimpleXLS, SimpleXLSX, SimpleCSV, SimpleXLSXGen</strong>: Spreadsheet utilities written and maintained by <a href="https://github.com/shuchkin" rel="nofollow ugc">Sergey Shuchkin</a> protected by <a href="https://github.com/shuchkin/simplexlsx/blob/master/license.md" rel="nofollow ugc">MIT License</a>. </li>
<li><strong>Tippy.js</strong>: A <a href="https://github.com/atomiks/tippyjs" rel="nofollow ugc">tooltip, popover, dropdown, and menu library</a> also protected by <a href="https://github.com/atomiks/tippyjs/blob/master/LICENSE" rel="nofollow ugc">MIT License</a>.</li>
</ul>
WordPress Plugin Directory