CVE-2025-8313 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Campus Directory – Faculty, Staff & Student Directory plugin for WordPress, developed by emarket-design. This vulnerability exists in all versions up to and including 1.9.1. The root cause is insufficient sanitization and escaping of the 'noaccess_msg' parameter, which is used during web page generation. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into the parameter. Because the injected script is stored and rendered on pages viewed by other users, it executes in their browsers without requiring further interaction. This can lead to a range of malicious outcomes, including session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or site defacement. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability affects WordPress sites using this plugin, which is commonly deployed in educational institutions to manage faculty, staff, and student directories. The plugin's widespread use in academic environments increases the potential impact. The vulnerability was published on August 5, 2025, and was reserved on July 29, 2025. No official patches or updates are currently linked, emphasizing the need for immediate mitigation steps by administrators.

The primary impact of CVE-2025-8313 is the compromise of user confidentiality and integrity within affected WordPress sites. Exploitation allows attackers with Contributor-level access to inject persistent malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, credential theft, or unauthorized actions performed with victim privileges. This can undermine trust in the affected websites, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. Since the vulnerability does not impact availability directly, denial-of-service is less likely. However, reputational damage and regulatory consequences could be significant, especially for educational institutions handling sensitive personal data. The requirement for authenticated access limits the attack surface but does not eliminate risk, as Contributor roles are commonly assigned to users who submit content. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the attacker’s privileges, increasing its severity. Organizations worldwide using this plugin in their WordPress deployments, particularly in education sectors, face moderate risk until remediation is applied.

1. Immediately restrict Contributor-level access to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Implement additional input validation and output encoding for the 'noaccess_msg' parameter at the application or web server level using Web Application Firewalls (WAFs) with custom rules to detect and block malicious scripts. 3. Monitor logs for unusual Contributor activity or unexpected script injections in directory pages. 4. Disable or remove the Campus Directory plugin if it is not essential to reduce attack surface. 5. Regularly update WordPress core and plugins; monitor emarket-design’s official channels for patches or security updates addressing this vulnerability. 6. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 7. Educate site administrators and users about the risks of XSS and safe content submission practices. 8. Conduct security audits and penetration testing focusing on input sanitization and stored XSS vectors in custom or third-party plugins.