Stored Cross-Site Scripting in Contact List Plugin for WordPress
CVE-2026-3516

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Contact List – Online Staff Directory & Address Book
Vendor: CVE Published:; 20 March 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-3516?

The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting through the '_cl_map_iframe' parameter. This vulnerability exists due to inadequate input sanitization and output escaping routines, specifically in the handling of the Google Maps iframe custom field. The saveCustomFields() function employs regex to extract tags but fails to validate the iframe's attributes, enabling the inclusion of unsafe event handlers like 'onload'. The stored iframe HTML is then displayed on the front-end without proper sanitization or wp_kses filtering. As a result, authenticated attackers with Contributor-level access or higher can inject malicious scripts that execute whenever users visit affected pages.

Affected Version(s)

Contact List – Online Staff Directory & Address Book 0 <= 3.0.18

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-3516
Created by d3kc4rt1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/contact-list/t...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 10, 2026
👾
Exploit known to exist
Apr 10, 2026
Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Tharadol Suksamran

CVE-2026-3516 Data

JSON