CVE-2026-3178
Received Received - Intake
Stored XSS in WordPress Name Directory Plugin Allows Script Injection

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: Wordfence

Description
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' parameter in all versions up to, and including, 1.32.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.30.3 and 1.32.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3178
EUVD
EUVD-2026-11143
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3178 is a Stored Cross-Site Scripting (XSS) vulnerability in the Name Directory plugin for WordPress. It occurs via the 'name_directory_name' parameter in all versions up to and including 1.32.1 due to insufficient input sanitization and output escaping. This flaw allows unauthenticated attackers to inject arbitrary web scripts into pages, which execute whenever a user accesses the injected page."}, {'type': 'paragraph', 'content': "The vulnerability was partially patched in versions 1.30.3 and 1.32.1, and fully addressed in version 1.33.0 by improving input sanitization, output escaping, nonce verification, and permission checks in the plugin's admin and database handling components."}] [1, 2, 3]

Impact Analysis

This vulnerability can allow unauthenticated attackers to inject malicious scripts into the plugin's pages, which will execute in the context of users visiting those pages. This can lead to theft of user credentials, session hijacking, defacement, or redirection to malicious sites.

Because the vulnerability is exploitable without authentication and affects all users who access the injected pages, it poses a significant security risk to website visitors and administrators.

The CVSS v3.1 base score of 7.2 reflects a high severity with network attack vector, low attack complexity, no privileges required, no user interaction needed, and impacts confidentiality and integrity.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'name_directory_name' parameter in the Name Directory WordPress plugin versions up to 1.32.1. Detection involves identifying if your WordPress installation uses this vulnerable plugin version and checking for suspicious script injections in pages that display directory names.

Since the vulnerability is related to insufficient input sanitization and output escaping, you can detect it by searching for injected scripts in the 'name_directory_name' parameter or in pages that render directory names.

Suggested commands or steps include:

  • Check the installed version of the Name Directory plugin to see if it is version 1.32.1 or earlier.
  • Use web application scanning tools or manual inspection to look for suspicious script tags or JavaScript code in pages that display directory names.
  • On the server, you can grep the WordPress database export or plugin files for suspicious script tags or unusual content in the 'name_directory_name' fields.
  • Example command to check plugin version via WP-CLI: `wp plugin list --format=table | grep name-directory`
  • Example SQL query to find suspicious scripts in the database (adjust table and column names accordingly): `SELECT * FROM wp_name_directory_names WHERE name_directory_name LIKE '%<script>%' OR name_directory_name LIKE '%javascript:%';`
Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the Name Directory plugin to version 1.33.0 or later, which includes the security fix for CVE-2026-3178.'}, {'type': 'paragraph', 'content': 'The update improves input sanitization, output escaping, nonce verification, and permission checks to prevent unauthorized script injection and privilege escalation.'}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the affected functionality to trusted users only.'}, {'type': 'paragraph', 'content': 'Additionally, review and sanitize any existing entries in the directory that might contain malicious scripts.'}, {'type': 'list_item', 'content': 'Update the Name Directory plugin to version 1.33.0 or later.'}, {'type': 'list_item', 'content': "Restrict access to the plugin's administrative interface using WordPress capability checks or other access control mechanisms."}, {'type': 'list_item', 'content': 'Sanitize existing directory entries to remove any injected scripts.'}, {'type': 'list_item', 'content': 'Monitor your site for suspicious activity or unexpected script execution.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3178. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart