We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Employee Directory Plugin Vulnerability (CVE-2026-1279)

Nick Paliughi

Security Alert Summary

The Employee Directory plugin for WordPress contains a stored Cross-Site Scripting (XSS) vulnerability in the form_title parameter used by the search_employee_directory shortcode. Authenticated users with Contributor-level access and above can inject scripts that will run when other users view the affected pages.

CVE Details

  • CVE ID: CVE-2026-1279
  • Affected component: Employee Directory plugin for WordPress (as stated in the CVE description)
  • Affected versions: All versions up to, and including, 1.2.1
  • Published: February 6, 2026 at 8:15:52 AM
  • Last modified: February 6, 2026 at 3:14:47 PM
  • CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Requires an authenticated user; the CVE description specifies exploitation by users with Contributor-level access and above. Privileges Required: LOW; User Interaction: NONE.
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)

Technical Details

This issue is a stored Cross-Site Scripting vulnerability caused by insufficient input sanitization and lack of output escaping for the form_title parameter used by the search_employee_directory shortcode. Because input provided to that parameter is stored and later rendered in pages, an authenticated attacker who can supply a malicious form_title value can inject arbitrary JavaScript that will execute in the browsers of users who view the affected page.

The CVE description specifically identifies the form_title parameter and the search_employee_directory shortcode as the vectors. The root cause is the absence of proper sanitization on input and/or escaping on output when rendering the stored value, which permits stored XSS payloads to persist and execute.

How This Could Impact Your Website

Consider a site with multiple users: a site owner, internal staff who manage content, and external contractors or contributors who help maintain pages. A contributor with the ability to edit or add shortcode parameters could insert a malicious form_title value. When administrators, editors, or site visitors load the page containing the injected shortcode, the malicious script could run in their browsers.

  • An attacker-controlled script could read information visible to the page (for example, client-side content or form fields), potentially exposing internal user information such as names or email addresses accessible via the page.
  • Exposed or harvestable contact information increases the risk of targeted phishing or social engineering against staff or contractors.
  • Because the vulnerability is XSS (confidentiality and integrity impacts rated LOW), it does not inherently grant direct server access, but it can be used to perform actions in the context of an authenticated user’s browser or to capture session-related data.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
  • Restrict and review user roles: reduce the number of users with Contributor-level access or higher where possible.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins to reduce your attack surface.
  • Monitor site activity and logs for unusual behavior, especially changes to pages that use the search_employee_directory shortcode.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Yoast SEO – Advanced SEO with real-time guidance and built-in AI Plugin Vulnerability (CVE-2026-1293)
Next Post
WordPress Security Bulletin: Orange Confort+ accessibility toolbar for WordPress Plugin Vulnerability (CVE-2026-1808)