Vulnerabilities ›

CVE-2025-15283

High

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.

CWE-79 — Weakness Type

                    Published: Jan 14, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

The Name Directory WordPress plugin (versions ≤1.30.3) contains a Stored Cross-Site Scripting (XSS) vulnerability allowing unauthenticated attackers to inject malicious scripts through insufficiently sanitized parameters. These scripts execute when users access affected pages, potentially compromising user sessions, stealing credentials, or distributing malware. This vulnerability poses significant risk to Saudi organizations using WordPress with this plugin, particularly those handling sensitive business or customer data.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 11:02

🇸🇦 Saudi Arabia Impact Assessment

High impact for Saudi organizations using WordPress-based websites, particularly: (1) Banking and Financial Services - customer portals and internal systems using this plugin risk credential theft and session hijacking; (2) Government and Public Sector - ministry websites and citizen-facing portals could be compromised for disinformation; (3) Healthcare Sector - patient directories and hospital websites could expose sensitive health information; (4) E-commerce and Retail - customer data and transaction information at risk; (5) Telecommunications - customer management systems vulnerable to data exfiltration. Organizations under SAMA and NCA oversight face heightened compliance implications.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services E-commerce and Retail Telecommunications Education Media and Publishing Real Estate and Property Management

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1598 - Phishing T1566 - Phishing T1204 - User Execution T1539 - Steal Web Session Cookie T1056 - Input Capture T1185 - Man in the Browser

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all WordPress installations using Name Directory plugin version ≤1.30.3 across your organization

2. Disable the plugin immediately if not critical to operations

3. Audit all pages/posts created with this plugin for injected scripts

4. Review access logs for suspicious activity patterns



PATCHING:

1. Update Name Directory plugin to version 1.30.4 or later immediately

2. Test updates in staging environment before production deployment

3. Verify plugin functionality post-update



COMPENSATING CONTROLS (if immediate patching not possible):

1. Implement Web Application Firewall (WAF) rules to detect/block XSS payloads in plugin parameters

2. Apply Content Security Policy (CSP) headers to restrict script execution

3. Enable WordPress security plugins with XSS detection capabilities

4. Restrict plugin access to authenticated users only if possible



DETECTION:

1. Monitor WordPress logs for suspicious 'name_directory_name' and 'name_directory_description' parameter values

2. Search database for common XSS payloads: <script>, javascript:, onerror=, onload=

3. Implement SIEM rules to alert on stored XSS patterns

4. Regular security scanning with tools like Wordfence or Sucuri

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع تثبيتات WordPress التي تستخدم مكون Name Directory الإصدار ≤1.30.3 في جميع أنحاء المنظمة

2. تعطيل المكون فوراً إذا لم يكن حرجاً للعمليات

3. تدقيق جميع الصفحات/المنشورات المنشأة باستخدام هذا المكون للبحث عن البرامج النصية المحقونة

4. مراجعة سجلات الوصول للأنشطة المريبة

التصحيح:

1. تحديث مكون Name Directory إلى الإصدار 1.30.4 أو أحدث فوراً

2. اختبار التحديثات في بيئة التطوير قبل نشرها في الإنتاج

3. التحقق من وظائف المكون بعد التحديث

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها

2. تطبيق رؤوس سياسة أمان المحتوى (CSP) لتقييد تنفيذ البرامج النصية

3. تفعيل مكونات أمان WordPress مع قدرات الكشف عن XSS

4. تقييد وصول المكون للمستخدمين المصرح لهم فقط إن أمكن

الكشف:

1. مراقبة سجلات WordPress للقيم المريبة في معاملات 'name_directory_name' و'name_directory_description'

2. البحث في قاعدة البيانات عن حمولات XSS الشائعة: <script>، javascript:، onerror=، onload=

3. تطبيق قواعد SIEM للتنبيه عن أنماط XSS المخزنة

4. المسح الأمني المنتظم باستخدام أدوات مثل Wordfence أو Sucuri

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 - Input validation and sanitization controls 5.2.1 - Output encoding and escaping requirements 5.3.2 - Web application security controls 6.1.1 - Vulnerability management and patching

🔵 SAMA CSF

ID.BE-5 - Organizational resilience related to cybersecurity risk PR.DS-1 - Data security and protection PR.IP-1 - Security policy and process establishment DE.CM-1 - Detection and monitoring of security events

🟡 ISO 27001:2022

A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.14.3.1 - Separation of development, test and production environments A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

6.5.1 - Injection flaws prevention 6.5.7 - Cross-site scripting (XSS) prevention 6.2 - Security patches and updates

🔗 References & Sources 3

🔗

https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=9...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?mar...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-40559...

security@wordfence.com

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-79

EPSS0.05%

Exploit No

Patch ✓ Yes

Published 2026-01-14

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2025-15283

💬 Comments

Introduce Yourself

Sign In Required