Urgent: Name Directory Plugin (≤ 1.32.0) — Unauthenticated Stored XSS (CVE-2026-1866)

On 10 February 2026 a stored cross-site scripting (XSS) vulnerability affecting the Name Directory WordPress plugin (versions ≤ 1.32.0) was publicly disclosed and assigned CVE-2026-1866. The issue allows unauthenticated attackers to submit content that, due to a double HTML-entity encoding/decoding problem, can later execute in a visitor’s or administrator’s browser. The plugin upstream released a patch (1.32.1). Until you update, active exploitation or automated scanning is a realistic risk.

Table of contents

• Executive summary
• What the vulnerability is (high level)
• How the double HTML-entity encoding bypass works (technical, non-exploitative)
• Possible attacker scenarios and impacts
• How to check if you’re affected (inventory + detection)
• Immediate mitigation — short window actions
• Recommended WAF / virtual patching rules (conceptual)
• Post-incident investigation and remediation checklist
• Long-term hardening and developer guidance
• Weekly maintenance & monitoring recommendations
• Frequently asked questions
• Final checklist (action items)
• Closing thoughts

Executive summary

• CVE: CVE-2026-1866
• Vulnerability: Stored Cross-Site Scripting (XSS) via double HTML-entity encoding in the Name Directory plugin submission form
• Affected versions: Name Directory plugin ≤ 1.32.0
• Fixed in: 1.32.1 — update immediately
• CVSS (approx): 7.1 (Medium)
• Risk profile: Unauthenticated attackers can submit entries that persist in the database and later execute in a victim’s browser when rendered. Possible impacts include session theft, privilege escalation, site defacement and persistent SEO abuse.
• Immediate mitigations: update plugin, apply virtual patching via your WAF, disable public submission forms temporarily, and ensure strict output escaping and CSP where feasible.

What the vulnerability is (high level)

This is a stored XSS vulnerability in the plugin’s submission workflow. An unauthenticated attacker can submit crafted data through the Name Directory submission form such that stored content later renders in pages or admin views in a form that executes JavaScript in visitors’ browsers.

The root cause is inconsistent handling of HTML entity encoding/decoding between submission and rendering: certain input sequences, when decoded more than once or not canonicalized, can become literal tags or attributes that the browser will parse and execute.

Stored XSS is particularly serious because the malicious payload persists in the site database and can impact multiple users over time. The unauthenticated nature of the submission increases the attack surface.

How the double HTML-entity encoding bypass works (technical, safe explanation)

Understanding the class of failure helps choose correct mitigations.

1. Typical safe flow:
   • Input is validated and sanitized (strip or limit HTML).
   • Input is stored as plain text or as sanitized HTML according to design.
   • Output is escaped appropriately for the rendering context (HTML body, attributes, JS, etc.).
2. Double encoding problem (summary):
   • The plugin attempted to prevent tags by encoding special characters (e.g. < and >), but encoding/decoding was inconsistent between submission and display.
   • An attacker can submit an entity or sequence that, after additional decoding during rendering or by the browser, becomes a literal tag such as
     Review My Order

     0

     Subtotal

     Taxes & shipping calculated at checkout

     Checkout