CVE-2025-5532 is a stored cross-site scripting vulnerability identified in the Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress, developed by emarket-design. The vulnerability exists in all versions up to and including 1.9.0, specifically within the 'emd_mb_meta' shortcode functionality. The root cause is insufficient sanitization and escaping of user-supplied attributes, which allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability is exploitable remotely over the network without user interaction, requiring only authenticated access at a contributor level, which is a common permission level in WordPress sites. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, privileges required, no user interaction, scope change, and low impact on confidentiality and integrity, with no impact on availability. Although no active exploits are reported, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin in educational and organizational environments. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to cross-site scripting.

The primary impact of CVE-2025-5532 is the potential compromise of user sessions and data confidentiality through the execution of malicious scripts in the context of trusted websites. Attackers with contributor-level access can inject persistent scripts that execute for all users visiting the affected pages, enabling theft of cookies, credentials, or other sensitive information. This can lead to account takeover, privilege escalation, or unauthorized actions performed on behalf of legitimate users. For organizations, this can result in data breaches, reputational damage, and potential regulatory non-compliance, especially in educational institutions where sensitive faculty, staff, and student information is managed. The vulnerability does not directly affect system availability but can indirectly cause service disruptions if exploited for defacement or malicious redirects. Since contributor-level access is often granted to multiple users, the attack surface is relatively broad within affected WordPress installations. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the initially compromised component, increasing the risk of widespread impact within the site.

To mitigate CVE-2025-5532, organizations should immediately update the Campus Directory plugin to a version where the vulnerability is patched once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and audit existing user permissions to minimize risk. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'emd_mb_meta' shortcode can provide temporary protection. Additionally, site administrators should enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly scanning the site for injected scripts and unusual content changes can help detect exploitation attempts early. Educating contributors about safe input practices and monitoring logs for suspicious activity related to shortcode usage is also recommended. Finally, consider isolating or disabling the vulnerable shortcode if it is not essential to site functionality.