GCVE - cpe:2.3:a:emarket-design:employee_directory_–_staff_&_team

Approved changes feed: RSS · Atom

cpe:2.3:a:emarket-design:employee_directory_–_staff_&_team_directory:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Emarket Design (`8fb61feb-3a38-520b-9ec4-c08f2531594e`)
Product	Employee Directory – Staff & Team Directory (`2f605e72-48b0-5ee3-8763-c9d374db2c3a`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-8295`	vulnerable	2026-06-03 15:13:43.312884	Employee Directory <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter MEDIUM (6.4) The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2025-08-05T07:24:15.940Z Updated: 2026-04-08T16:59:19.630Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/6d06d721-ab48-43ae-81d6-bd0b3177a7bf?source=cve https://wordpress.org/plugins/employee-directory/#developers https://plugins.trac.wordpress.org/browser/employee-directory/tags/4.5.1/includes/emd-form-builder-lite/emd-form-frontend.php https://plugins.trac.wordpress.org/changeset/3336753/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-5531`	vulnerable	2026-06-03 15:07:53.975777	Staff Directory – Employee Directory for WordPress <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting MEDIUM (6.4) The Employee Directory – Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2025-06-04T03:40:58.146Z Updated: 2026-04-08T16:36:46.710Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/143c5f1f-032c-4207-9401-20f18efcad9d?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3295945%40employee-directory&new=3295945%40employee-directory&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Employee Directory – Staff & Team Directory

PURL mappings

Vulnerability references

Contribute