WP-Safety

StaffList Security & Risk Analysis

wordpress.org/plugins/stafflist

A super simplified staff directory tool

100 active installs v3.2.7 PHP 5.6+ WP 3.2.2+ Updated Nov 25, 2025
directoryfacultypersonnelphonebookstaff
47
D · High Risk
CVEs total6
Unpatched2
Last CVENov 26, 2025
Plugin page Download
Safety Verdict

Is StaffList Safe to Use in 2026?

High Risk

Score 47/100

StaffList carries significant security risk with 6 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

6 known CVEs 2 unpatched Last CVE: Nov 26, 2025Updated 4mo ago
Risk Assessment

The 'stafflist' v3.2.7 plugin exhibits a concerning security posture due to a significant number of unprotected entry points and a history of known vulnerabilities. While the code analysis indicates a good practice in using prepared statements for SQL queries and proper output escaping in a majority of cases, the presence of six AJAX handlers without authentication checks presents a substantial attack surface. This lack of authorization on critical interaction points could allow unauthorized users to trigger plugin functionalities, potentially leading to unexpected behavior or exploitation if these handlers are not robustly secured internally. The plugin's vulnerability history is a major red flag, with six known CVEs, two of which remain unpatched, including a high-severity vulnerability. The common types of past vulnerabilities like Cross-site Scripting, Information Exposure, Missing Authorization, and SQL Injection directly align with the identified risks in the static analysis, particularly the unprotected AJAX handlers. This pattern suggests a recurring weakness in input validation and authorization within the plugin's development. In conclusion, despite some positive coding practices like prepared SQL statements and output escaping, the high number of unprotected AJAX handlers and the persistent history of serious, unpatched vulnerabilities make this plugin a significant risk. Further investigation into the unpatched CVEs and a thorough review of all AJAX handler implementations are strongly recommended before using this plugin.

Key Concerns

  • Unpatched High/Medium severity CVEs (2 unpatched)
  • High number of unprotected AJAX handlers (6)
  • Missing Nonce checks on AJAX handlers (implied by unprotected AJAX)
  • SQL queries without prepared statements (34% of 59)
  • Outputs not properly escaped (32% of 59)
  • Missing Capability checks on entry points (implied by unprotected AJAX)
Vulnerabilities
6

StaffList Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
4 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
5

6 total CVEs

CVE-2025-12185medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

StaffList <= 3.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 26, 2025 Patched in 3.2.7 (1d)
CVE-2025-32255medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

StaffList <= 3.2.6 - Unauthenticated Sensitive Information Exposure

Apr 4, 2025Unpatched
CVE-2025-32232medium · 4.3Missing Authorization

StaffList <= 3.2.6 - Missing Authorization

Apr 4, 2025Unpatched
CVE-2024-13749medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

StaffList <= 3.2.3 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Feb 11, 2025 Patched in 3.2.4 (1d)
WF-62a6fc85-db3c-4696-8102-d0247daae56c-stafflistmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

StaffList <= 3.1.6 - Reflected Cross-Site Scripting

May 9, 2022 Patched in 3.1.7 (624d)
CVE-2022-1556high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

StaffList <= 3.1.2 - Authenticated SQL Injection

May 2, 2022 Patched in 3.1.5 (631d)
Code Analysis
Analyzed Mar 16, 2026

StaffList Code Analysis

Dangerous Functions
0
Raw SQL Queries
20
39 prepared
Unescaped Output
19
40 escaped
Nonce Checks
2
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

66% prepared59 total queries

Output Escaping

68% escaped59 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
stafflist_plugin_options (stafflist.php:140)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

StaffList Attack Surface

Entry Points7
Unprotected6

AJAX Handlers 6

authwp_ajax_ajax_updatestafflist.php:131
authwp_ajax_ajax_nextrowstafflist.php:132
authwp_ajax_stafflist_sortstafflist.php:133
authwp_ajax_stafflist_renamestafflist.php:134
authwp_ajax_ajax_buildstafflist.php:821
noprivwp_ajax_ajax_buildstafflist.php:822

Shortcodes 1

[stafflist] stafflist.php:1275
WordPress Hooks 5
actionadmin_menustafflist.php:58
actionadmin_initstafflist.php:64
actioninitstafflist.php:82
actionadmin_enqueue_scriptsstafflist.php:120
actionwp_enqueue_scriptsstafflist.php:798
Maintenance & Trust

StaffList Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedNov 25, 2025
PHP min version5.6
Downloads18K

Community Trust

Rating98/100
Number of ratings21
Active installs100
Alternatives

StaffList Alternatives

Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress

Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress

campus-directory

A
97

Create a responsive, searchable directory for faculty, staff, or students—perfect for schools, colleges, and universities using WordPress.

80 3 CVEs
Faculty and Staff Directory

Faculty and Staff Directory

faculty-and-staff-directory

A
100

A Faculty and Staff Directory listing for a college, university, or other school.

10 No CVEs
Business Directory Plugin – Easy Listing Directories for WordPress

Business Directory Plugin – Easy Listing Directories for WordPress

business-directory-plugin

B
82

The easy Business Directory Plugin for WordPress. Build an easy team directory, member directory, staff directory, church directory, and more.

10K 16 CVEs
Team Members – Multi Language Supported Team Plugin

Team Members – Multi Language Supported Team Plugin

team-showcase-supreme

A
98

Multi-language supported Team Members - Team with Slide is the best plugins to display unlimited team in Carouse and Grid view.

7K 2 CVEs
Organization chart

Organization chart

organization-chart

A
96

WordPress organization chart plugin is a nice and handy tool for creating simple and nice organizational charts. If you have any suggestions about the &hellip;

5K 5 CVEs
Developer Profile

StaffList Developer Profile

ERA404

5 plugins · 320 total installs

58
trust score
Avg Security Score
70/100
Avg Patch Time
314 days
View full developer profile
Detection Fingerprints

How We Detect StaffList

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/stafflist/stafflist_admin.css/wp-content/plugins/stafflist/stafflist_admin.js
Script Paths
/wp-content/plugins/stafflist/stafflist_admin.js
Version Parameters
stafflist/stafflist_admin.css?ver=stafflist/stafflist_admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
stafflist-staff-entrystafflist-staff-namestafflist-staff-titlestafflist-staff-departmentstafflist-staff-emailstafflist-staff-phonestafflist-search-formstafflist-search-input+2 more
Data Attributes
data-stafflist-iddata-stafflist-action
JS Globals
paths.ajaxurlpaths.pluginurl
Shortcode Output
<div class="stafflist-container"><div class="stafflist-staff-entry"><div class="stafflist-staff-name"><div class="stafflist-staff-title">
FAQ

Frequently Asked Questions about StaffList