WWordPress Vulnerability Database

Hong Kong Security Alert Name Directory XSS(CVE202515283)

Cross Site Scripting (XSS) in WordPress Name Directory Plugin
0
Shares
0
0
0
0
Plugin Name Name Directory
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-15283
Urgency Medium
CVE Publish Date 2026-01-14
Source URL CVE-2025-15283

Urgent: Unauthenticated Stored XSS in Name Directory (<= 1.30.3) — What WordPress Site Owners Must Do Now

Date: 14 Jan 2026  |  Author: Hong Kong Security Expert

Summary (TL;DR)

  • Vulnerability: Unauthenticated stored Cross-Site Scripting (XSS) in the Name Directory plugin (versions ≤ 1.30.3). User-supplied content can be stored and later rendered without adequate sanitization or escaping.
  • Impact: Execution of attacker-controlled script in the browser of anyone viewing the stored content (administrators, editors, visitors). Consequences include session theft, persistent defacement, malicious redirects, unauthorized administrative actions, and malware distribution.
  • Affected versions: Name Directory ≤ 1.30.3.
  • Immediate actions: Isolate endpoints, block suspicious traffic, audit the plugin’s stored entries for injected scripts, prevent admins from viewing suspicious content, scan and clean the site, and apply virtual WAF rules where available.
  • Long-term: Update or remove the plugin, sanitize stored records, and strengthen input validation, escaping, monitoring and incident processes.

What is Stored XSS and why unauthenticated stored XSS is dangerous

Cross-Site Scripting (XSS) occurs when user-supplied content is included in a web page without proper escaping, allowing an attacker to execute script in the victim’s browser. Stored (persistent) XSS means the malicious payload is saved on the server (e.g., in the database) and executed each time the content is viewed. If an attacker can store such content without authentication, the attack surface is much larger: any anonymous actor or automated bot can submit payloads that persist until cleaned.

In WordPress contexts this risk is amplified because:

  • Admins regularly view content while logged-in; a single preview click can trigger escalation.
  • Session cookies and authentication tokens are present in the browser and can be targeted for theft.
  • Other plugins and integrations can widen the scope of impact when an attacker gains initial foothold.

Technical overview of the Name Directory vulnerability

At a high level the issue works as follows:

  1. The plugin accepts input via public forms or endpoints (REST endpoints, shortcode forms, etc.) from unauthenticated users.
  2. Certain input fields (names, descriptions, notes) are stored in the database without adequate server-side sanitization.
  3. When these stored values are output to pages or admin screens, they are not properly escaped for the HTML context. Browsers therefore interpret injected markup or scripts as executable.

Attackers typically use