Executive Summary

CVE-2026-1866 is a stored Cross-Site Scripting (XSS) vulnerability in the Name Directory plugin for WordPress, affecting all versions up to and including 1.32.0.

The vulnerability arises because the plugin's sanitization function improperly handles HTML entity decoding by calling `html_entity_decode()` before `wp_kses()`, and then calling `html_entity_decode()` again on output. This double decoding allows attackers to inject malicious scripts.

An unauthenticated attacker can exploit this by submitting malicious scripts via the 'name_directory_name' and 'name_directory_description' parameters in the public submission form. If the site administrator approves the submission or if auto-publish is enabled, the injected scripts will execute whenever a user views the affected page.

Useful 0 Not Useful 0

Impact Analysis

This stored XSS vulnerability can allow attackers to inject arbitrary web scripts that execute in the browsers of users who visit the affected pages.

Potential impacts include theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites.

Because the attack can be performed by unauthenticated users and the scripts execute in the context of trusted users, it poses a significant security risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability involves stored Cross-Site Scripting (XSS) via double HTML-entity encoding in the Name Directory WordPress plugin versions up to 1.32.0. Detection would involve identifying if your WordPress installation is running the vulnerable Name Directory plugin version and if the plugin is accepting and storing user inputs in the 'name_directory_name' and 'name_directory_description' parameters without proper sanitization."}, {'type': 'paragraph', 'content': "Since the vulnerability is triggered by stored malicious scripts in these parameters, detection can include searching the database for suspicious or encoded script tags within the name or description fields of the plugin's entries."}, {'type': 'paragraph', 'content': 'There are no explicit commands provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Check the installed plugin version via WordPress admin or by inspecting the plugin files.'}, {'type': 'list_item', 'content': "Query the WordPress database for entries in the Name Directory plugin tables containing suspicious encoded scripts, for example using SQL commands like: SELECT * FROM wp_name_directory_names WHERE name LIKE '%<script%' OR description LIKE '%<script%';"}, {'type': 'list_item', 'content': "Monitor HTTP requests to the submission form for suspicious payloads in 'name_directory_name' and 'name_directory_description' parameters."}, {'type': 'list_item', 'content': 'Use web application scanners or security plugins that detect stored XSS vulnerabilities in WordPress plugins.'}] [4]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the Name Directory WordPress plugin to version 1.31.0 or later, where the stored XSS vulnerability has been fixed by improving input sanitization and output encoding.

Additional immediate steps include:

• Disable or restrict public submissions if possible, to prevent unauthenticated attackers from injecting malicious scripts.
• Ensure that submissions require administrator approval before being published, preventing automatic publication of malicious content.
• Implement or verify that Google reCAPTCHA v2 is enabled on the submission form to reduce automated malicious submissions.
• Review existing entries in the Name Directory for suspicious or malicious content and remove or sanitize them.
• Monitor and audit plugin usage and logs for unusual activity related to name submissions.

Useful 0 Not Useful 0