{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15283", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-29T21:20:08.934Z", "datePublished": "2026-01-14T05:28:07.374Z", "dateUpdated": "2026-04-08T16:47:29.731Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:29.731Z"}, "affected": [{"vendor": "jeroenpeters1986", "product": "Name Directory", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.30.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?marks=38,41,69#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=927-928#L927"}, {"url": "https://plugins.trac.wordpress.org/changeset/3438261/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-12-22T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-03T11:25:01.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-13T17:22:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T20:00:30.097619Z", "id": "CVE-2025-15283", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T20:00:43.944Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15283", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T20:00:30.097619Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T20:00:35.356Z"}}], "cna": {"title": "Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "jeroenpeters1986", "product": "Name Directory", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.30.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-22T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2026-01-13T17:22:07.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?marks=38,41,69#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=927-928#L927"}], "descriptions": [{"lang": "en", "value": "The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-14T05:28:07.374Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15283", "state": "PUBLISHED", "dateUpdated": "2026-01-15T20:00:43.944Z", "dateReserved": "2025-12-29T21:20:08.934Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T05:28:07.374Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Name Directory para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de los par\u00e1metros 'name_directory_name' y 'name_directory_description' en todas las versiones hasta la 1.30.3, inclusive, debido a la sanitizaci\u00f3n insuficiente de la entrada y al escape de la salida. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-15283", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T06:15:54.130", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=927-928#L927"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?marks=38,41,69#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3438261/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:26:48.452533+00:00", "value": {"mitigation_remediation": ["Upgrade Name Directory to a release newer than 1.30.3 where the stored XSS issue is fixed.", "If an upgrade cannot be performed immediately, deactivate or remove the plugin to eliminate the vulnerable code paths until a patch is applied.", "While the plugin remains active, apply a web\u2011application firewall or security plugin rule that sanitizes the name_directory_name and name_directory_description fields, stripping JavaScript before saving or rendering the data."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting for unauthenticated users"}, "threat_synthesis": {"affected_systems": "This flaw exists in all releases of the Name Directory plugin up to and including version 1.30.3. The affected product is the WordPress plugin known as Name Directory, provided by the vendor jeroenpeters1986. All installations of the plugin that have not been upgraded beyond 1.30.3 are vulnerable. There is no further version restriction listed beyond the cutoff. ", "description_and_impact": "The WordPress plugin Name Directory is vulnerable to stored Cross\u2011Site Scripting through the name_directory_name and name_directory_description parameters. Because input is not properly sanitized or escaped, attackers can inject malicious scripts that are stored and later executed whenever any user visits a page that displays the stored content. This elevates the attacker\u2019s ability to steal session cookies, deface sites, or perform other client side attacks. The weakness corresponds to a classic insecure input handling flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 7.2 indicates a moderate to high severity. The EPSS score is below 1\u202f%, reflecting a low but non\u2011zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no documented active exploitation. Attackers would typically exploit the flaw by submitting malicious payloads via the vulnerable parameters, which are stored by the plugin and rendered in subsequent page loads. Because the attack does not require authentication, any user can exploit the flaw to inject scripts into the site\u2019s public pages."}}}}, "created": "2026-01-14T10:48:43.981076+00:00", "updated": "2026-04-21T16:30:40.682697+00:00", "vendors": ["jeroenpeters1986", "jeroenpeters1986$PRODUCT$name_directory", "wordpress", "wordpress$PRODUCT$wordpress"]}