CVE-2026-1866
Stored XSS in WordPress Name Directory Plugin Allows Script Injection
Publication date: 2026-02-10
Last updated on: 2026-02-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | name_directory | to 1.32.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1866 is a stored Cross-Site Scripting (XSS) vulnerability in the Name Directory plugin for WordPress, affecting all versions up to and including 1.32.0.
The vulnerability arises because the plugin's sanitization function improperly handles HTML entity decoding by calling `html_entity_decode()` before `wp_kses()`, and then calling `html_entity_decode()` again on output. This double decoding allows attackers to inject malicious scripts.
An unauthenticated attacker can exploit this by submitting malicious scripts via the 'name_directory_name' and 'name_directory_description' parameters in the public submission form. If the site administrator approves the submission or if auto-publish is enabled, the injected scripts will execute whenever a user views the affected page.
How can this vulnerability impact me? :
This stored XSS vulnerability can allow attackers to inject arbitrary web scripts that execute in the browsers of users who visit the affected pages.
Potential impacts include theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites.
Because the attack can be performed by unauthenticated users and the scripts execute in the context of trusted users, it poses a significant security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability involves stored Cross-Site Scripting (XSS) via double HTML-entity encoding in the Name Directory WordPress plugin versions up to 1.32.0. Detection would involve identifying if your WordPress installation is running the vulnerable Name Directory plugin version and if the plugin is accepting and storing user inputs in the 'name_directory_name' and 'name_directory_description' parameters without proper sanitization."}, {'type': 'paragraph', 'content': "Since the vulnerability is triggered by stored malicious scripts in these parameters, detection can include searching the database for suspicious or encoded script tags within the name or description fields of the plugin's entries."}, {'type': 'paragraph', 'content': 'There are no explicit commands provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Check the installed plugin version via WordPress admin or by inspecting the plugin files.'}, {'type': 'list_item', 'content': "Query the WordPress database for entries in the Name Directory plugin tables containing suspicious encoded scripts, for example using SQL commands like: SELECT * FROM wp_name_directory_names WHERE name LIKE '%<script%' OR description LIKE '%<script%';"}, {'type': 'list_item', 'content': "Monitor HTTP requests to the submission form for suspicious payloads in 'name_directory_name' and 'name_directory_description' parameters."}, {'type': 'list_item', 'content': 'Use web application scanners or security plugins that detect stored XSS vulnerabilities in WordPress plugins.'}] [4]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Name Directory WordPress plugin to version 1.31.0 or later, where the stored XSS vulnerability has been fixed by improving input sanitization and output encoding.
Additional immediate steps include:
- Disable or restrict public submissions if possible, to prevent unauthenticated attackers from injecting malicious scripts.
- Ensure that submissions require administrator approval before being published, preventing automatic publication of malicious content.
- Implement or verify that Google reCAPTCHA v2 is enabled on the submission form to reduce automated malicious submissions.
- Review existing entries in the Name Directory for suspicious or malicious content and remove or sanitize them.
- Monitor and audit plugin usage and logs for unusual activity related to name submissions.