CVE-2026-3516
Stored XSS in WordPress Contact List Plugin Allows Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | contact_list | to 3.0.18 (inc) |
| wordfence | contact_list | 3.0.19 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Contact List WordPress plugin (up to version 3.0.18) is a Stored Cross-Site Scripting (XSS) issue caused by insufficient sanitization and escaping of iframe content in a custom field named '_cl_map_iframe'.
Specifically, the plugin uses a regular expression to extract <iframe> tags from user input but does not validate or sanitize the iframe's attributes, allowing malicious event handlers like 'onload' to be included. This iframe HTML is stored and later rendered on the front-end without proper escaping or filtering.
As a result, authenticated users with Contributor-level access or higher can inject arbitrary scripts that execute whenever any user views the affected page, leading to potential compromise of user sessions or data.
How can this vulnerability impact me? :
This vulnerability allows an attacker with Contributor-level access or above to inject malicious JavaScript into pages via the iframe custom field. Because the injected script is stored and rendered on the front-end without proper sanitization, it can execute in the browsers of any users who visit the affected pages.
The impact includes potential theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware through the compromised site.
Since the vulnerability is a Stored XSS, it affects all visitors to the infected pages, increasing the risk and scope of the attack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves stored Cross-Site Scripting (XSS) via the '_cl_map_iframe' parameter in the Contact List WordPress plugin, which allows authenticated users with Contributor-level access or higher to inject malicious iframe content. Detection involves identifying if any contact entries in the WordPress database contain iframe HTML with potentially unsafe attributes or event handlers such as 'onload'."}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to stored iframe content in post meta fields, you can detect it by querying the WordPress database for posts of the Contact List type that have meta values containing iframe tags with suspicious attributes.'}, {'type': 'list_item', 'content': 'Use a SQL query on the WordPress database to find iframe tags in the relevant post meta, for example:'}, {'type': 'list_item', 'content': "SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE meta_value LIKE '%<iframe%onload=%';"}, {'type': 'list_item', 'content': "This query looks for iframe tags with 'onload' attributes, which are known to be exploitable in this vulnerability."}, {'type': 'list_item', 'content': "Alternatively, search for any iframe tags in the '_cl_map_iframe' or related custom fields:"}, {'type': 'list_item', 'content': "SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE meta_key LIKE '%_cl_map_iframe%' AND meta_value LIKE '%<iframe%';"}, {'type': 'paragraph', 'content': 'On the WordPress filesystem or plugin files, you can check the plugin version to see if it is vulnerable (versions up to and including 3.0.18 are vulnerable). Running the following WP-CLI command can help identify the plugin version:'}, {'type': 'list_item', 'content': 'wp plugin list --status=active'}, {'type': 'paragraph', 'content': 'If the plugin version is 3.0.18 or lower, the site is vulnerable unless patched.'}] [2, 4, 5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Contact List WordPress plugin to version 3.0.19 or later, where the vulnerability has been fixed by enforcing strict sanitization and validation of iframe content in custom fields.
The update restricts iframe content to only valid iframe tags matching a strict regular expression and removes any unsafe attributes or event handlers that could lead to Cross-Site Scripting.
If updating immediately is not possible, consider temporarily restricting Contributor-level and higher user permissions to prevent untrusted users from injecting iframe content.
Additionally, review and sanitize any existing iframe content in the custom fields by removing or cleaning iframe tags with unsafe attributes.
As a best practice, monitor and audit user inputs and custom fields for suspicious iframe or script content.