CVE-2026-3516 - Vulnerability Details

Link	Providers
https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/includes/class-contact-list-custom-fields.php#L675
https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/includes/class-contact-list-custom-fields.php#L697
https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/public/class-cl-public-card.php#L466
https://plugins.trac.wordpress.org/browser/contact-list/trunk/includes/class-contact-list-custom-fields.php#L675
https://plugins.trac.wordpress.org/browser/contact-list/trunk/includes/class-contact-list-custom-fields.php#L697
https://plugins.trac.wordpress.org/browser/contact-list/trunk/public/class-cl-public-card.php#L466
https://plugins.trac.wordpress.org/changeset/3486445
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8059995-55cb-49ee-add1-f5364d0772eb?source=cve

Type	Values Removed	Values Added
Description		The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The saveCustomFields() function in class-contact-list-custom-fields.php uses a regex to extract <iframe> tags from user input but does not validate or sanitize the iframe's attributes, allowing event handlers like 'onload' to be included. The extracted iframe HTML is stored via update_post_meta() and later rendered on the front-end in class-cl-public-card.php without any escaping or wp_kses filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Contact List <= 3.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_cl_map_iframe' Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/includes/class-contact-list-custom-fields.php#L675 https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/includes/class-contact-list-custom-fields.php#L697 https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/public/class-cl-public-card.php#L466 https://plugins.trac.wordpress.org/browser/contact-list/trunk/includes/class-contact-list-custom-fields.php#L675 https://plugins.trac.wordpress.org/browser/contact-list/trunk/includes/class-contact-list-custom-fields.php#L697 https://plugins.trac.wordpress.org/browser/contact-list/trunk/public/class-cl-public-card.php#L466 https://plugins.trac.wordpress.org/changeset/3486445 https://www.wordfence.com/threat-intel/vulnerabilities/id/a8059995-55cb-49ee-add1-f5364d0772eb?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3516", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T15:08:30.107Z", "datePublished": "2026-03-20T23:25:12.779Z", "dateUpdated": "2026-03-20T23:25:12.779Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-20T23:25:12.779Z"}, "affected": [{"vendor": "anssilaitila", "product": "Contact List \u2013 Online Staff Directory & Address Book", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.0.18", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The saveCustomFields() function in class-contact-list-custom-fields.php uses a regex to extract <iframe> tags from user input but does not validate or sanitize the iframe's attributes, allowing event handlers like 'onload' to be included. The extracted iframe HTML is stored via update_post_meta() and later rendered on the front-end in class-cl-public-card.php without any escaping or wp_kses filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Contact List <= 3.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_cl_map_iframe' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8059995-55cb-49ee-add1-f5364d0772eb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-list/trunk/public/class-cl-public-card.php#L466"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/public/class-cl-public-card.php#L466"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-list/trunk/includes/class-contact-list-custom-fields.php#L697"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/includes/class-contact-list-custom-fields.php#L697"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-list/trunk/includes/class-contact-list-custom-fields.php#L675"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/includes/class-contact-list-custom-fields.php#L675"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486445"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "timeline": [{"time": "2026-03-10T19:29:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-20T10:58:51.000Z", "lang": "en", "value": "Disclosed"}]}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The saveCustomFields() function in class-contact-list-custom-fields.php uses a regex to extract <iframe> tags from user input but does not validate or sanitize the iframe's attributes, allowing event handlers like 'onload' to be included. The extracted iframe HTML is stored via update_post_meta() and later rendered on the front-end in class-cl-public-card.php without any escaping or wp_kses filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-3516", "lastModified": "2026-03-21T00:16:28.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-21T00:16:28.387", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/includes/class-contact-list-custom-fields.php#L675"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/includes/class-contact-list-custom-fields.php#L697"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-list/tags/3.0.17/public/class-cl-public-card.php#L466"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-list/trunk/includes/class-contact-list-custom-fields.php#L675"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-list/trunk/includes/class-contact-list-custom-fields.php#L697"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-list/trunk/public/class-cl-public-card.php#L466"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3486445"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8059995-55cb-49ee-add1-f5364d0772eb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object