Does Employee Directory – Staff & Team Directory have any unpatched vulnerabilities?

Yes — Employee Directory – Staff & Team Directory currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Employee Directory – Staff & Team Directory compatible with WordPress 6.9.4?

According to WordPress.org data, Employee Directory – Staff & Team Directory 4.5.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Employee Directory – Staff & Team Directory updated?

Employee Directory – Staff & Team Directory was last updated on Feb 25, 2026. Frequent updates are generally a positive security signal.

What is Employee Directory – Staff & Team Directory's security score?

Employee Directory – Staff & Team Directory has a WP-Safety security score of 73/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Employee Directory – Staff & Team Directory Security & Risk Analysis

wordpress.org/plugins/employee-directory

Flexible employee directory with enterprise add-ons for LDAP / Active Directory, Microsoft Entra ID (Azure AD) and Premium features like org charts.

100 active installs v4.5.5 PHP + WP 4.5+ Updated Feb 25, 2026

active-directoryemployee-directoryintranetldapstaff-directory

B · Generally Safe

CVEs total3

Unpatched1

Last CVEAug 25, 2025

Plugin page Download

Safety Verdict

Is Employee Directory – Staff & Team Directory Safe to Use in 2026?

Mostly Safe

Score 73/100

Employee Directory – Staff & Team Directory is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Aug 25, 2025Updated 1mo ago

Risk Assessment

The 'employee-directory' plugin version 4.5.5 exhibits a mixed security posture. While many security best practices are followed, including the use of prepared statements for all SQL queries and a high percentage of output escaping, several significant concerns exist. The presence of 9 AJAX handlers without authentication checks represents a considerable attack surface, potentially allowing unauthorized actions. The taint analysis reveals 2 high-severity flows with unsanitized paths, indicating potential vulnerabilities that could lead to data leakage or execution of unintended code.

The plugin's vulnerability history is also a point of concern, with 3 known CVEs, one of which remains unpatched and is classified as high severity. The common vulnerability types, such as Deserialization of Untrusted Data and Cross-site Scripting, combined with the recent discovery of a vulnerability (2025-08-25), suggest a pattern of exploitable weaknesses. While the use of nonces and capability checks on most AJAX handlers is positive, the unprotected entry points and the ongoing unpatched vulnerability significantly detract from its overall security. This plugin requires careful review and immediate attention to address the unpatched CVE and the identified unsanitized data flows.

Key Concerns

Unpatched High Severity CVE
AJAX Handlers without Auth Checks
High Severity Taint Flows
Bundled outdated library (Select2 v3.2)
Flows with unsanitized paths

Vulnerabilities

Employee Directory – Staff & Team Directory Security Vulnerabilities

CVEs by Year

3 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-53243high · 8.1Deserialization of Untrusted Data

Employee Directory – Staff Listing & Team Directory Plugin for WordPress <= 4.5.3 - Unauthenticated PHP Object Injection

Aug 25, 2025Unpatched

CVE-2025-8295medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Employee Directory <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter

Aug 4, 2025 Patched in 4.5.2 (1d)

CVE-2025-5531medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Staff Directory – Employee Directory for WordPress <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 3, 2025 Patched in 4.5.1 (57d)

Code Analysis

Analyzed Mar 16, 2026

Employee Directory – Staff & Team Directory Code Analysis

Dangerous Functions

Raw SQL Queries

22 prepared

Unescaped Output

242

1354 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

preg_replace(/e)preg_replace('/eincludes\emd-form-builder-lite\emd-form-functions.php:495

preg_replace(/e)preg_replace('/eincludes\emd-form-builder-lite\emd-form-functions.php:516

Bundled Libraries

Select23.2

SQL Query Safety

100% prepared22 total queries

Output Escaping

85% escaped1596 total outputs

Data Flows

9 unsanitized

Data Flow Analysis

15 flows9 with unsanitized paths

emd_form_builder_lite_get_field (includes\emd-form-builder-lite\emd-form-builder.php:831)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

9 unprotected

Employee Directory – Staff & Team Directory Attack Surface

Entry Points30

Unprotected9

AJAX Handlers 29

authwp_ajax_single_tax_add_taxtermincludes\admin\singletax\emd-singletax-functions.php:4

authwp_ajax_emd_load_fileincludes\class-install-deactivate.php:54

noprivwp_ajax_emd_load_fileincludes\class-install-deactivate.php:55

authwp_ajax_emd_delete_fileincludes\class-install-deactivate.php:56

noprivwp_ajax_emd_delete_fileincludes\class-install-deactivate.php:57

authwp_ajax_emd_check_userEmailincludes\common-functions.php:541

authwp_ajax_emd_check_uniqueincludes\common-functions.php:570

authwp_ajax_emd_form_builder_lite_get_fieldincludes\emd-form-builder-lite\emd-form-builder.php:830

authwp_ajax_emd_form_builder_lite_get_pageincludes\emd-form-builder-lite\emd-form-builder.php:1192

authwp_ajax_emd_form_builder_lite_get_rowincludes\emd-form-builder-lite\emd-form-builder.php:1245

authwp_ajax_emd_form_builder_lite_save_formincludes\emd-form-builder-lite\emd-form-builder.php:1272

authwp_ajax_emd_form_builder_lite_get_hrincludes\emd-form-builder-lite\emd-form-builder.php:1391

authwp_ajax_emd_form_builder_lite_get_htmlincludes\emd-form-builder-lite\emd-form-builder.php:1411

authwp_ajax_emd_formb_lite_submit_ajax_formincludes\emd-form-builder-lite\emd-form-frontend.php:9

noprivwp_ajax_emd_formb_lite_submit_ajax_formincludes\emd-form-builder-lite\emd-form-frontend.php:10

noprivwp_ajax_emd_check_userEmailincludes\emd-form-builder-lite\emd-form-frontend.php:11

noprivwp_ajax_emd_check_uniqueincludes\emd-form-builder-lite\emd-form-frontend.php:12

noprivwp_ajax_emd_lite_process_loginincludes\emd-form-builder-lite\emd-form-frontend.php:1931

authwp_ajax_emd_lite_process_loginincludes\emd-form-builder-lite\emd-form-frontend.php:1932

noprivwp_ajax_emd_lite_verify_registrationincludes\emd-form-builder-lite\emd-form-frontend.php:2019

authwp_ajax_emd_lite_verify_registrationincludes\emd-form-builder-lite\emd-form-frontend.php:2020

authwp_ajax_emd_form_builder_lite_pagenumincludes\emd-form-builder-lite\emd-form-functions.php:1091

noprivwp_ajax_emd_form_builder_lite_pagenumincludes\emd-form-builder-lite\emd-form-functions.php:1092

noprivwp_ajax_emd_verify_emailincludes\login-register-functions.php:106

authwp_ajax_emd_verify_emailincludes\login-register-functions.php:107

authwp_ajax_empd_com_send_deactivate_reasonincludes\plugin-feedback-functions.php:11

authwp_ajax_empd_com_show_ratemeincludes\plugin-feedback-functions.php:16

authwp_ajax_emd_get_widg_pagenumincludes\widget-functions.php:10

noprivwp_ajax_emd_get_widg_pagenumincludes\widget-functions.php:11

Shortcodes 1

[emd_form] includes\emd-form-builder-lite\emd-form-frontend.php:400

WordPress Hooks 79

filterthe_contentemployee-directory.php:58

actionadmin_menuemployee-directory.php:62

filtertemplate_includeemployee-directory.php:66

actionwidgets_initemployee-directory.php:70

actionempd_com_getting_startedincludes\admin\getting-started.php:9

actionempd_com_settings_glossaryincludes\admin\glossary.php:9

actionemd_ext_registerincludes\admin\settings-functions-misc.php:11

filteremd_add_settings_tabincludes\admin\settings-functions-misc.php:12

actionemd_show_settings_tabincludes\admin\settings-functions-misc.php:13

actionemd_ext_registerincludes\admin\settings-functions.php:11

actionemd_show_settings_pageincludes\admin\settings-functions.php:12

actionadd_meta_boxesincludes\admin\singletax\class-emd-single-taxonomy.php:31

filterwp_terms_checklist_argsincludes\admin\singletax\class-emd-single-taxonomy.php:35

actionsave_postincludes\admin\singletax\class-emd-single-taxonomy.php:39

filtermedia_buttonsincludes\admin\wpas-btn-functions.php:10

actionadmin_footerincludes\admin\wpas-btn-functions.php:11

filterkses_allowed_protocolsincludes\admin\wpas-btn-functions.php:222

filterposts_whereincludes\class-emd-query.php:91

filterposts_joinincludes\class-emd-query.php:94

filteremd_wp_session_cookie_secureincludes\class-emd-session.php:59

filteremd_wp_session_cookie_httponlyincludes\class-emd-session.php:60

filteremd_wp_session_delete_batch_sizeincludes\class-emd-session.php:61

filtersafe_style_cssincludes\class-emd-widget.php:57

actionadmin_initincludes\class-install-deactivate.php:21

actionwp_headincludes\class-install-deactivate.php:33

actionadmin_initincludes\class-install-deactivate.php:37

actionadmin_noticesincludes\class-install-deactivate.php:41

actionadmin_initincludes\class-install-deactivate.php:45

actionbefore_delete_postincludes\class-install-deactivate.php:49

filterget_media_item_argsincludes\class-install-deactivate.php:53

actioninitincludes\class-install-deactivate.php:58

filtertiny_mce_before_initincludes\class-install-deactivate.php:63

actionemd_ext_set_confincludes\emd-form-builder-lite\emd-form-builder.php:12

actionemd_ext_initincludes\emd-form-builder-lite\emd-form-builder.php:22

filterposts_whereincludes\emd-form-builder-lite\emd-form-builder.php:48

actionemd_ext_admin_enqincludes\emd-form-builder-lite\emd-form-builder.php:50

actionemd_show_forms_lite_pageincludes\emd-form-builder-lite\emd-form-builder.php:282

actioninitincludes\emd-form-builder-lite\emd-form-frontend.php:44

filteremd_ext_parse_tagsincludes\emd-form-builder-lite\emd-form-functions.php:775

actioninitincludes\emd-form-builder-lite\emd-form-functions.php:801

filterkses_allowed_protocolsincludes\emd-form-builder-lite\emd-form-functions.php:1169

actionemd_ext_registerincludes\emd-form-builder-lite\settings-functions-login.php:12

filteremd_add_settings_tabincludes\emd-form-builder-lite\settings-functions-login.php:13

actionemd_show_settings_tabincludes\emd-form-builder-lite\settings-functions-login.php:14

actionemd_ext_admin_enqincludes\emd-lite\emd-lite.php:8

filteremd_lite_modalincludes\emd-lite\emd-lite.php:26

actioninitincludes\entities\class-emd-employee.php:27

actionadmin_initincludes\entities\class-emd-employee.php:31

filterpost_updated_messagesincludes\entities\class-emd-employee.php:35

actionadmin_menuincludes\entities\class-emd-employee.php:39

actionadmin_head-edit.phpincludes\entities\class-emd-employee.php:43

actionmanage_emd_employee_posts_custom_columnincludes\entities\class-emd-employee.php:49

filtermanage_emd_employee_posts_columnsincludes\entities\class-emd-employee.php:53

filterenter_title_hereincludes\entities\class-emd-employee.php:58

actionadmin_initincludes\entities\class-emd-employee.php:62

filterpost_row_actionsincludes\entities\class-emd-employee.php:66

actionadmin_action_emd_duplicate_entityincludes\entities\class-emd-employee.php:70

actionadmin_noticesincludes\entities\class-emd-employee.php:631

filterthe_titleincludes\entities\class-emd-employee.php:662

actionsave_postincludes\entities\class-emd-entity.php:96

actionsave_postincludes\entities\class-emd-entity.php:133

filteremd_show_temp_sidebarincludes\layout-functions.php:166

actionemd_sidebarincludes\layout-functions.php:196

actionwidgets_initincludes\layout-functions.php:213

filteremd_show_temp_navigationincludes\layout-functions.php:290

filteremd_show_single_edit_linkincludes\layout-functions.php:320

filteremd_change_containerincludes\layout-functions.php:332

filteremd_get_login_register_option_for_viewsincludes\login-register-functions.php:8

actionemd_show_login_register_formsincludes\login-register-functions.php:22

actionemd_ext_set_confincludes\plugin-app-functions.php:8

actionemd_ext_reset_confincludes\plugin-app-functions.php:9

filterplugin_row_metaincludes\plugin-feedback-functions.php:9

filterplugin_action_linksincludes\plugin-feedback-functions.php:10

actionadmin_footerincludes\plugin-feedback-functions.php:14

actionadmin_noticesincludes\plugin-feedback-functions.php:17

actionadmin_post_empd-com_check_optinincludes\plugin-feedback-functions.php:18

actionadmin_enqueue_scriptsincludes\scripts.php:9

actionwp_enqueue_scriptsincludes\scripts.php:148

actionadmin_print_footer_scriptsincludes\scripts.php:234

Maintenance & Trust

Employee Directory – Staff & Team Directory Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 25, 2026

PHP min version

Downloads43K

Community Trust

Rating82/100

Number of ratings16

Active installs100

Alternatives

Employee Directory – Staff & Team Directory Alternatives

Staff/Employee Business Directory for Active Directory

ldap-ad-staff-employee-directory-search

Search and Display Users / Staff / Employees present in your LDAP / Active Directory on your WordPress site using a shortcode. [24/7] Support Provided

30 2 CVEs

authLdap

authldap

Use your existing LDAP flexible as authentication backend for WordPress

5K 2 CVEs

Active Directory Integration / LDAP Integration

ldap-login-for-intranet-sites

Active Directory Integration/LDAP Integration enables login & sync in WordPress with Active Directory/LDAP Directory credentials, 24/7 ACTIVE SUPPORT

4K 7 CVEs

Next Active Directory Integration

next-active-directory-integration

100

Next Active Directory Integration allows WordPress to authenticate, authorize, create and update users against Microsoft Active Directory.

2K No CVEs

Simple LDAP Login

simple-ldap-login

Integrating WordPress with LDAP shouldn't be difficult. Now it isn't. Simple LDAP Login provides all of the features, none of the hassles.

1K 1 CVE

Developer Profile

Employee Directory – Staff & Team Directory Developer Profile

emarket-design

10 plugins · 4K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

251 days

View full developer profile

Detection Fingerprints

How We Detect Employee Directory – Staff & Team Directory

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/employee-directory/assets/ext/emd-meta-box/emd-meta-box.php/wp-content/plugins/employee-directory/includes/date-functions.php/wp-content/plugins/employee-directory/includes/common-functions.php/wp-content/plugins/employee-directory/includes/entities/class-emd-entity.php/wp-content/plugins/employee-directory/includes/layout-functions.php/wp-content/plugins/employee-directory/includes/class-emd-query.php/wp-content/plugins/employee-directory/includes/shortcode-functions.php/wp-content/plugins/employee-directory/includes/widget-functions.php+21 more

HTML / DOM Fingerprints

CSS Classes

empd-formemd-form-builder-liteemd-lite-modal

HTML Comments

LICENSE:Employee Directory is free software: you can redistribute it and/or modifyit under the terms of the GNU General Public License as published bythe Free Software Foundation, either version 2 of the License, or+16 more

Data Attributes

data-form-id

JS Globals

emd_form_builder_settingsemd_form_builder_fieldsemd_form_builder_settings_formemd_form_builder_fields_formemd_form_builder_element_typeemd_form_builder_el_type+3 more

Shortcode Output

[employee-directory][employee_directory][employee-directory-search][employee_directory_search]

FAQ

Employee Directory – Staff & Team Directory Security & Risk Analysis

Is Employee Directory – Staff & Team Directory Safe to Use in 2026?

Mostly Safe

Key Concerns

Employee Directory – Staff & Team Directory Security Vulnerabilities

CVEs by Year

Severity Breakdown

Employee Directory – Staff & Team Directory Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Employee Directory – Staff & Team Directory Attack Surface

AJAX Handlers 29

Shortcodes 1

Employee Directory – Staff & Team Directory Maintenance & Trust

Maintenance Signals

Community Trust

Employee Directory – Staff & Team Directory Alternatives

Staff/Employee Business Directory for Active Directory

authLdap

Active Directory Integration / LDAP Integration

Next Active Directory Integration

Simple LDAP Login

Employee Directory – Staff & Team Directory Developer Profile

How We Detect Employee Directory – Staff & Team Directory

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Employee Directory – Staff & Team Directory