CVE-2025-8313 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress, developed by emarket-design. This vulnerability affects all versions up to and including 1.9.1. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'noaccess_msg' parameter. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages generated by the plugin. These scripts execute in the context of any user who views the infected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to a Contributor role, and no user interaction is needed for exploitation once the malicious script is injected. The scope is changed because the vulnerability affects resources beyond the attacker’s privileges, impacting other users who access the compromised pages. No known exploits are currently reported in the wild, and no patches have been released at the time of this report.

For European organizations using WordPress sites with the vulnerable Campus Directory plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user data. Educational institutions, universities, and other organizations that maintain faculty, staff, or student directories are particularly at risk. Exploitation could lead to unauthorized disclosure of sensitive information, session hijacking of users with higher privileges, and potential defacement or manipulation of directory information. This could undermine trust in institutional websites and lead to compliance issues under GDPR due to unauthorized data exposure. Additionally, the ability to execute scripts without user interaction increases the risk of automated or stealthy attacks. The medium severity rating suggests that while the vulnerability is not critical, it is sufficiently serious to warrant prompt remediation to prevent exploitation and potential reputational damage.

European organizations should immediately audit their WordPress installations to identify the presence of the Campus Directory plugin and verify the version in use. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict Contributor-level and higher privileges strictly to trusted users to reduce the risk of malicious script injection. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'noaccess_msg' parameter. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Regularly monitor logs and user activity for unusual behavior indicative of exploitation attempts. 5) Consider temporarily disabling or removing the plugin if it is not essential, or replacing it with a secure alternative. 6) Educate site administrators and content contributors about the risks of injecting untrusted content. These targeted actions go beyond generic advice by focusing on privilege management, proactive detection, and containment strategies specific to this vulnerability.