CVE-2026-1279 in Employee Directory Plugin
Summary
by MITRE • 02/06/2026
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_title' parameter in the `search_employee_directory` shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2026
The Employee Directory plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-1279 affecting versions through 1.2.1. This vulnerability resides within the search_employee_directory shortcode functionality where the form_title parameter fails to undergo proper input sanitization and output escaping mechanisms. The flaw allows authenticated attackers possessing Contributor-level privileges or higher to inject malicious scripts that persist in the plugin's database, making the vulnerability particularly dangerous as it can affect any user who accesses pages containing the injected content. The security implications extend beyond simple script execution since this represents a persistent threat that can compromise user sessions and potentially escalate to more severe attacks.
The technical nature of this vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws occurring when untrusted data is improperly incorporated into web pages without adequate validation or escaping. The vulnerability exists because the plugin fails to implement proper sanitization routines for user-supplied input before storing it in the database and subsequently rendering it in web pages. This weakness creates a persistent XSS vector where malicious code injected through the form_title parameter remains stored and executes whenever users access pages containing the compromised data. The attack requires minimal privileges, making it particularly concerning for WordPress environments where contributors might have access to plugin settings.
The operational impact of this vulnerability extends beyond simple script injection as it creates a persistent threat vector that can be exploited for session hijacking, credential theft, and potential privilege escalation attacks. Authenticated attackers can craft malicious payloads that execute in the context of other users' browsers, potentially allowing them to access sensitive employee information, modify directory entries, or even gain administrative access to the WordPress installation. The vulnerability affects all users who can access the plugin's administrative interface and utilize the search_employee_directory shortcode, which typically includes contributors, editors, and administrators. This makes the attack surface particularly broad and increases the likelihood of successful exploitation in real-world scenarios.
Mitigation strategies for CVE-2026-1279 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies. Organizations should implement strict input validation for all user-supplied parameters and ensure proper output escaping before rendering content in web pages. The principle of least privilege should be enforced by limiting Contributor-level access to plugin configuration settings and implementing additional security measures such as content security policies to prevent script execution. Regular security audits of WordPress plugins should include verification of input sanitization practices and output escaping mechanisms to prevent similar vulnerabilities from being introduced. The vulnerability also underscores the importance of following ATT&CK framework guidance for defending against persistent threats and maintaining up-to-date security practices throughout the WordPress ecosystem.