CVE-2026-3178 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Name Directory plugin for WordPress developed by jeroenpeters1986. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the 'name_directory_name' parameter, which is used during web page generation. This allows unauthenticated attackers to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who visits the affected page. The vulnerability affects all versions up to and including 1.32.1, with partial patches applied in versions 1.30.3 and 1.32.1 that do not fully remediate the issue. The CVSS 3.1 base score is 7.2, reflecting a high severity with network attack vector, low attack complexity, no privileges or user interaction required, and a scope change indicating impact beyond the vulnerable component. The vulnerability compromises confidentiality and integrity by enabling attackers to steal session cookies, perform actions on behalf of users, or deliver further payloads. No known public exploits have been reported yet, but the nature of stored XSS makes it a significant threat for WordPress sites using this plugin. The vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.

The impact of CVE-2026-3178 is significant for organizations running WordPress sites with the vulnerable Name Directory plugin. Successful exploitation allows attackers to execute arbitrary scripts in the browsers of site visitors, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. This compromises user confidentiality and site integrity, undermining trust and potentially causing reputational damage. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the plugin itself, potentially impacting other parts of the web application or user data. Organizations with high traffic or sensitive user data are at elevated risk. Although no exploits are currently known in the wild, the widespread use of WordPress and the plugin increases the likelihood of future attacks. Failure to remediate could lead to data breaches, regulatory penalties, and operational disruptions.

To mitigate CVE-2026-3178, organizations should immediately upgrade the Name Directory plugin to the latest version once a fully patched release is available. Until then, consider the following specific measures: 1) Implement a Web Application Firewall (WAF) with custom rules to detect and block malicious payloads targeting the 'name_directory_name' parameter. 2) Apply manual input validation and output encoding in the plugin code if feasible, focusing on sanitizing user inputs and escaping outputs to prevent script injection. 3) Restrict or disable the plugin if it is non-essential, reducing the attack surface. 4) Monitor web server logs and application logs for suspicious requests containing script tags or unusual payloads targeting the vulnerable parameter. 5) Educate site administrators and users about the risks of XSS and encourage the use of security headers such as Content Security Policy (CSP) to limit script execution. 6) Regularly audit and update all WordPress plugins and themes to minimize exposure to known vulnerabilities. These targeted actions go beyond generic advice and focus on immediate risk reduction while awaiting official patches.