Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Name Directory

Source -

CNA

CNA CVEs -

9

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
9Vulnerabilities found
CVE-2026-3178
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.13% / 32.31%
||
7 Day CHG~0.00%
Published-11 Mar, 2026 | 11:09
Updated-22 Apr, 2026 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Name Directory <= 1.32.1 - Unauthenticated Stored Cross-Site Scripting via 'name_directory_name'

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' parameter in all versions up to, and including, 1.32.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.30.3 and 1.32.1.

Action-Not Available
Vendor-jeroenpeters1986
Product-Name Directory
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-1866
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.19% / 40.00%
||
7 Day CHG~0.00%
Published-10 Feb, 2026 | 09:26
Updated-08 Apr, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Name Directory <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling `html_entity_decode()` before `wp_kses()`, and then calling `html_entity_decode()` again on output. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the 'name_directory_name' and 'name_directory_description' parameters in the public submission form granted they can trick the site administrator into approving their submission or auto-publish is enabled.

Action-Not Available
Vendor-jeroenpeters1986
Product-Name Directory
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-15283
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.05% / 16.44%
||
7 Day CHG~0.00%
Published-14 Jan, 2026 | 05:28
Updated-08 Apr, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-jeroenpeters1986
Product-Name Directory
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-39454
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.44%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 17:31
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Name Directory plugin <= 1.30.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Peters Name Directory name-directory.This issue affects Name Directory: from n/a through <= 1.30.0.

Action-Not Available
Vendor-Jeroen Peters
Product-Name Directory
CWE ID-CWE-862
Missing Authorization
CVE-2024-43938
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.30% / 53.05%
||
7 Day CHG~0.00%
Published-17 Sep, 2024 | 22:43
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Name Directory plugin <= 1.29.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Peters Name Directory name-directory.This issue affects Name Directory: from n/a through <= 1.29.0.

Action-Not Available
Vendor-Jeroen Peters
Product-Name Directory
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22692
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.88%
||
7 Day CHG~0.00%
Published-22 May, 2023 | 08:42
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Name Directory Plugin <= 1.27.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Jeroen Peters Name Directory plugin <= 1.27.1 versions.

Action-Not Available
Vendor-name_directory_projectJeroen Peters
Product-name_directoryName Directory
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-2072
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.16%
||
7 Day CHG~0.00%
Published-25 Jul, 2022 | 12:46
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Name Directory < 1.25.3 - Reflected Cross-Site Scripting

The Name Directory WordPress plugin before 1.25.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well

Action-Not Available
Vendor-name_directory_projectUnknown
Product-name_directoryName Directory
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2071
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.11% / 28.34%
||
7 Day CHG~0.00%
Published-25 Jul, 2022 | 12:46
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF

The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them.

Action-Not Available
Vendor-name_directory_projectUnknown
Product-name_directoryName Directory
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-20652
Assigner-JPCERT/CC
ShareView Details
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-0.09% / 25.82%
||
7 Day CHG~0.00%
Published-05 Feb, 2021 | 09:35
Updated-03 Aug, 2024 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Name Directory 1.17.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Action-Not Available
Vendor-name_directory_projectJ. Peters
Product-name_directoryName Directory
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)