23 matches found
CVE-2025-12185
The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2025-12185
The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2025-12185 StaffList <= 3.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting
The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
PT-2025-48235
The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
EUVD-2024-51742
Malicious code in bioql PyPI...
CVE-2025-32255 WordPress StaffList plugin <= 3.2.6 - Sensitive Data Exposure vulnerability
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ERA404 StaffList allows Retrieve Embedded Sensitive Data. This issue affects StaffList: from n/a through 3.2.6...
CVE-2025-32255 WordPress StaffList plugin <= 3.2.7 - Sensitive Data Exposure vulnerability
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ERA404 StaffList stafflist allows Retrieve Embedded Sensitive Data.This issue affects StaffList: from n/a through = 3.2.7...
CVE-2025-32232 WordPress StaffList plugin <= 3.2.6 - Broken Access Control vulnerability
Missing Authorization vulnerability in ERA404 StaffList allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects StaffList: from n/a through 3.2.6...
WordPress StaffList plugin <= 3.2.7 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Anhchangmutrang in WordPress Plugin StaffList versions = 3.2.7...
CVE-2024-13749
The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious we...
CVE-2024-13749
The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious we...
CVE-2024-13749
The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious we...
CVE-2024-13749 StaffList <= 3.2.3 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious we...
CVE-2024-13749
CVE-2024-13749 affects the WordPress StaffList plugin up to version 3.2.3. It is a CSRF on the stafflist page caused by missing nonce validation, enabling unauthenticated actors to update settings and inject scripts via forged requests when a site admin executes an action (e.g., clicking a link)....
CVE-2024-13749 StaffList <= 3.2.3 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious we...
WordPress StaffList plugin SQL injection vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. SQL injection vulnerability exists in versions of WordPress StaffList plugin prior to 3.1.5, which...
CVE-2022-1556
The StaffList WordPress plugin before 3.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection...
StaffList < 3.1.7 - Reflected Cross-Site Scripting
The plugin does to sanitise and escape a parameter before outputting it back in various places in an admin page, leading to a Reflected cross-Site Scripting PoC v v 3.1.7 - https://example.com/wp-admin/admin.php?page=stafflist=aa' style=animation-name:rotation onanimationstart=alert/XSS///...
WordPress StaffList plugin <= 3.1.5 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Hassan Khan Yusufzai in WordPress StaffList plugin versions = 3.1.5. Solution Update the WordPress StaffList plugin to the latest available version at least 3.1.6...
WordPress Stafflist 3.1.2 Cross Site Scripting
Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS Authenticated Date: 05-02-2022 Exploit Author: Hassan Khan Yusufzai - Splint3r7 Vendor Homepage: https://wordpress.org/plugins/stafflist/ Version: 3.1.2 Tested on: Firefox Contact me: h at spidersilk.com Summary: A cross site scripti...