| Plugin Name | Name Directory |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2026-3178 |
| Urgency | Medium |
| CVE Publish Date | 2026-03-14 |
| Source URL | CVE-2026-3178 |
Urgent: Unauthenticated Stored XSS in Name Directory plugin (<= 1.32.1) — What WordPress Site Owners Must Do Right Now
Date: 12 Mar, 2026 — CVE: CVE-2026-3178 — Severity: Medium (CVSS 7.1) — Affected versions: Name Directory plugin <= 1.32.1 — Patched in: 1.33.0
As a Hong Kong-based security practitioner with operational experience protecting WordPress sites, I will be direct: treat this vulnerability as urgent. The Name Directory plugin (versions prior to 1.33.0) contains an unauthenticated stored Cross-Site Scripting (XSS) flaw. An unauthenticated visitor can submit a crafted value (commonly via the plugin’s name field) that is persisted in the database and later rendered without proper escaping. When a privileged user (for example an administrator) views the stored entry, the payload can execute in that user’s browser and allow session theft, settings changes, or further persistent compromise.
Executive summary — immediate actions
- Update the Name Directory plugin to version 1.33.0 or later — this removes the vulnerability and is the correct permanent fix.
- If you cannot update immediately:
- Disable public/anonymous submissions to the plugin or remove the plugin until patched.
- Apply server-side rules (or WAF rules) to block obvious XSS payloads targeting the submission endpoint.
- Restrict access to admin pages (IP allowlist where practical) and require administrators to use up-to-date browsers and 2FA.
- Scan recent directory entries and logs for suspicious content and unknown entries.
- If you suspect compromise: take the site into maintenance, back up files and database, perform a full forensic/malware scan, rotate credentials, and follow the incident response checklist below.
What exactly is the vulnerability?
- Type: Stored Cross-Site Scripting (Stored XSS).
- Trigger: Unauthenticated input into the plugin’s “name” field (commonly referenced in code as
name_directory_name) is saved and later rendered without proper escaping. - Who can trigger it: Any unauthenticated visitor — bots or attackers that can reach the submission endpoint.
- How it executes: The payload is stored in the database and executes in the browser of anyone who views the stored content (often an administrator). Because it runs in the privileged user’s session, it can enable account takeover, site modification, or persistent backdoors.
- CVSS: 7.1 — medium, reflecting stored nature and potential high impact when administrators are targeted.
Root cause
The plugin accepts and stores input but does not escape or sanitize output for HTML contexts when rendering stored values. Stored XSS persists across restarts and can affect multiple users over time, which makes it particularly dangerous for administrative workflows.
Realistic attack scenarios
- Stealthy admin targeting — attacker submits a seemingly benign name containing encoded script or event attributes. When an admin opens that entry, the payload executes and allows actions via the admin’s session.
- Mass compromise via low-privilege viewers — editors or moderators who view the item could have their sessions hijacked, enabling lateral moves.
- Persistent defacement or redirect — injected content could alter public pages that reuse the stored name, harming reputation and SEO.
- Drive-by admin click — some admin pages or widgets render entries automatically, enabling exploitation without intentional admin action other than visiting a page.
