Duy Thai

**Name of the Vulnerable Software and Affected Versions** Name Directory plugin for WordPress versions prior to 1.32.1 **Description** The Name Directory plugin for WordPress is susceptible to Stored Cross-Site Scripting due to double HTML-entity encoding. The plugin’s sanitization function calls `html entity decode()` before `wp kses()`, and then calls `html entity decode()` again on output. This allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page through the `name directory name` and `name directory description` parameters in the public submission form, provided the attacker can convince the site administrator to approve the submission or if auto-publish is enabled. **Recommendations** Update the Name Directory plugin to version 1.32.1 or later.