CVE-2026-3516 is a stored cross-site scripting vulnerability affecting all versions up to 3.0.18 of the Contact List – Online Staff Directory & Address Book WordPress plugin by anssilaitila. The root cause is insufficient input sanitization and output escaping related to the '_cl_map_iframe' parameter, which is intended to embed Google Maps iframes. The plugin's saveCustomFields() function uses a regular expression to extract iframe tags from user input but fails to validate or sanitize the iframe's attributes, allowing malicious event handler attributes such as 'onload' to be included. This crafted iframe HTML is stored in the WordPress post meta database via update_post_meta() without filtering. Later, the stored iframe is output directly on the front-end by class-cl-public-card.php without applying escaping functions like wp_kses or esc_html, enabling arbitrary JavaScript execution in the context of the affected site. The vulnerability requires an attacker to have at least Contributor-level authenticated access, which is a relatively low privilege level in WordPress, making it feasible for insiders or compromised accounts to exploit. The attack does not require victim interaction beyond visiting the affected page, and the scope is site-wide for any user accessing the injected content. The CVSS 3.1 base score of 6.4 reflects network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impacts. No patches or official fixes are currently linked, and no public exploits are known, but the vulnerability poses a significant risk if weaponized.

This vulnerability allows authenticated users with Contributor-level access or higher to inject persistent malicious scripts into pages rendered by the Contact List plugin. The impact includes potential theft of session cookies, user credentials, or other sensitive information from site visitors, enabling account takeover or privilege escalation. It can also facilitate defacement, phishing, or distribution of malware via the affected website. Since the vulnerability affects a plugin used for staff directories and address books, organizations relying on it may expose internal contact information or enable lateral movement within their networks. The lack of output sanitization means any visitor to the compromised page is at risk, increasing the attack surface. While availability is not directly impacted, the integrity and confidentiality of user data and site content are at risk. The requirement for authenticated access limits exploitation to insiders or compromised accounts but does not eliminate risk, especially in environments with many contributors or weak account controls. The vulnerability could be leveraged as part of a broader attack chain targeting organizational infrastructure or users.

Organizations should immediately restrict Contributor-level user capabilities to trusted individuals and audit existing accounts for suspicious activity. Until an official patch is released, administrators can mitigate risk by disabling or uninstalling the Contact List plugin if feasible. Alternatively, apply manual code fixes by sanitizing and validating the '_cl_map_iframe' input to allow only safe iframe attributes and removing event handler attributes like 'onload'. Implement output escaping using WordPress functions such as wp_kses() with a strict whitelist or esc_html() before rendering iframe content on the front-end. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious iframe attribute injections. Regularly monitor logs for unusual post meta updates or contributor activity. Educate users about phishing risks arising from XSS attacks. Finally, maintain up-to-date backups to enable recovery if exploitation occurs.