{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1866", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-03T21:37:47.348Z", "datePublished": "2026-02-10T09:26:05.323Z", "dateUpdated": "2026-04-08T16:43:23.138Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:23.138Z"}, "affected": [{"vendor": "jeroenpeters1986", "product": "Name Directory", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.32.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling `html_entity_decode()` before `wp_kses()`, and then calling `html_entity_decode()` again on output. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the 'name_directory_name' and 'name_directory_description' parameters in the public submission form granted they can trick the site administrator into approving their submission or auto-publish is enabled."}], "title": "Name Directory <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29d13457-ac60-4e3d-9d8b-0141e6f8f4f6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/helpers.php#L604"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/shortcode.php#L193"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/shortcode.php#L41"}, {"url": "https://plugins.trac.wordpress.org/changeset/3455023/name-directory/trunk?contextall=1&old=3446566&old_path=%2Fname-directory%2Ftrunk#file3"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Duy Thai"}], "timeline": [{"time": "2026-02-03T11:25:01.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-09T20:45:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:26:47.740578Z", "id": "CVE-2026-1866", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:27:37.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1866", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:26:47.740578Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:27:10.810Z"}}], "cna": {"title": "Name Directory <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form", "credits": [{"lang": "en", "type": "finder", "value": "Duy Thai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "jeroenpeters1986", "product": "Name Directory", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.32.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T11:25:01.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-09T20:45:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29d13457-ac60-4e3d-9d8b-0141e6f8f4f6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/helpers.php#L604"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/shortcode.php#L193"}, {"url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/shortcode.php#L41"}, {"url": "https://plugins.trac.wordpress.org/changeset/3455023/name-directory/trunk?contextall=1&old=3446566&old_path=%2Fname-directory%2Ftrunk#file3"}], "descriptions": [{"lang": "en", "value": "The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling `html_entity_decode()` before `wp_kses()`, and then calling `html_entity_decode()` again on output. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the 'name_directory_name' and 'name_directory_description' parameters in the public submission form granted they can trick the site administrator into approving their submission or auto-publish is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:23.138Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1866", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:23.138Z", "dateReserved": "2026-02-03T21:37:47.348Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-10T09:26:05.323Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling `html_entity_decode()` before `wp_kses()`, and then calling `html_entity_decode()` again on output. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the 'name_directory_name' and 'name_directory_description' parameters in the public submission form granted they can trick the site administrator into approving their submission or auto-publish is enabled."}, {"lang": "es", "value": "El plugin Name Directory para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de una codificaci\u00f3n de doble entidad HTML en todas las versiones hasta e incluyendo la 1.32.0. Esto se debe a que la funci\u00f3n de saneamiento del plugin llama a `html_entity_decode()` antes de `wp_kses()`, y luego vuelve a llamar a `html_entity_decode()` en la salida. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada a trav\u00e9s de los par\u00e1metros 'name_directory_name' y 'name_directory_description' en el formulario de env\u00edo p\u00fablico, siempre que puedan enga\u00f1ar al administrador del sitio para que apruebe su env\u00edo o la publicaci\u00f3n autom\u00e1tica est\u00e9 habilitada."}], "id": "CVE-2026-1866", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-10T10:15:57.717", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/helpers.php#L604"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/shortcode.php#L193"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/shortcode.php#L41"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3455023/name-directory/trunk?contextall=1&old=3446566&old_path=%2Fname-directory%2Ftrunk#file3"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29d13457-ac60-4e3d-9d8b-0141e6f8f4f6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.32.0]"}}], "product": "name_directory", "vendor": "jeroenpeters1986"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T21:17:57.959034+00:00", "value": {"mitigation_remediation": ["Update the Name Directory plugin to a version newer than 1.32.0 that removes the double html_entity_decode sanitization sequence.", "If an update cannot be applied immediately, disable the auto\u2011publish setting and enforce manual approval of all new submissions until the plugin is patched.", "During the transition period, remove or restrict public access to the name_directory_name and name_directory_description input fields in the submission form to prevent new stored XSS payloads from being added."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "WordPress sites running any release of the Name Directory plugin up to and including 1.32.0, developed by jeroenpeters1986. The vulnerability applies to every instance where the public submission form is enabled and the name_directory_name and name_directory_description fields are processed.", "description_and_impact": "The Name Directory WordPress plugin allows unauthenticated attackers to embed malicious scripts in plug\u2011in stored data by double\u2011encoding HTML entities during sanitization and re\u2011decoding them on output. The flaw turns user input in the public submission form into executable code when a page containing the stored data is viewed, enabling session hijacking, malware delivery, or defacement.", "risk_and_exploitability": "With a CVSS score of 7.2 the flaw poses a moderate\u2011to\u2011high risk. The EPSS score is below 1\u202f%, indicating a low but non\u2011zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw only when a submission is publicly available\u2014either when auto\u2011publication is enabled or when an administrator approves a malicious entry. Thus, the attack vector is local to the community of site administrators who grant publication privileges to public submissions."}}}}, "created": "2026-02-10T12:23:37.164689+00:00", "updated": "2026-04-15T21:30:13.889203+00:00", "vendors": ["jeroenpeters1986", "jeroenpeters1986$PRODUCT$name_directory", "wordpress", "wordpress$PRODUCT$wordpress"]}