The vulnerability CVE-2026-1866 affects the Name Directory plugin for WordPress, versions up to and including 1.32.0. It is a stored Cross-Site Scripting (XSS) flaw categorized under CWE-79, caused by improper input neutralization during web page generation. The root cause is the plugin's sanitization process, which calls html_entity_decode() before wp_kses(), and then calls html_entity_decode() again on output. This double decoding allows attackers to bypass sanitization filters by submitting payloads encoded in a way that the plugin fails to properly neutralize. Attackers can inject arbitrary JavaScript code into the 'name_directory_name' and 'name_directory_description' fields of the public submission form. Since the plugin allows unauthenticated submissions, an attacker can submit malicious content without credentials. However, for the payload to execute, the submission must be approved by an administrator or auto-publish must be enabled, after which the malicious script executes in the context of any user viewing the injected page. This leads to potential theft of cookies, session tokens, or other sensitive information, and could facilitate further attacks such as privilege escalation or phishing. The vulnerability has a CVSS 3.1 base score of 7.2, reflecting its high severity with network attack vector, low attack complexity, no privileges or user interaction required, and impact on confidentiality and integrity. No public exploits are currently known, but the vulnerability is publicly disclosed and should be considered exploitable. The plugin is widely used in WordPress environments, increasing the potential attack surface.

This vulnerability poses a significant risk to organizations using the Name Directory plugin on WordPress sites. Successful exploitation can lead to theft of user credentials, session hijacking, and unauthorized actions performed in the context of affected users, compromising confidentiality and integrity of data. Since the attack vector is network-based and requires no authentication, attackers can target any vulnerable site remotely. The requirement for administrator approval or auto-publish settings somewhat limits immediate exploitation but does not eliminate risk, especially in environments with lax content moderation or automated publishing workflows. Compromised sites may suffer reputational damage, data breaches, and potential regulatory penalties if user data is exposed. Additionally, attackers could use the vulnerability as a foothold for further attacks within the organization’s network or to distribute malware to site visitors. The widespread use of WordPress and the plugin increases the global impact potential, especially for organizations relying on user-generated content features.

Organizations should immediately audit their WordPress installations to identify if the Name Directory plugin is in use and determine the version. Until an official patch is released, administrators should disable or restrict public submissions to the plugin, especially disabling auto-publish features to prevent automatic exposure of malicious content. Implement strict content moderation workflows requiring manual review and approval of all submissions. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameters. Consider adding additional input validation and output encoding layers at the web server or application level to mitigate injection attempts. Monitor logs for unusual submission patterns or script injection attempts. Educate administrators on the risks of approving untrusted submissions. Once a patch or update is available from the vendor, apply it promptly. Regularly update all WordPress plugins and core software to minimize exposure to known vulnerabilities.