Reflected Cross-Site Scripting in Staff Directory Plugin for WordPress
CVE-2024-13839

6.1MEDIUM

Key Information:

Vendor: Richardgabriel
Status: Staff Directory Plugin: Company Directory
Vendor: CVE Published:; 5 March 2025

Summary

The Staff Directory Plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to improper handling of URL parameters through the add_query_arg function. This vulnerability allows unauthenticated attackers to craft malicious URLs that, when clicked by unsuspecting users, execute arbitrary scripts in their browsers. The flaw exists in all versions of the plugin up to and including 4.3, posing a significant risk to website integrity and user data.

Affected Version(s)

Staff Directory Plugin: Company Directory * <= 4.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/staff-director...

https://wordpress.org/plugins/staff-directory-pro/#develo...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Feb 5, 2025

Credit

Peter Thaleikis