CVE-2026-3516 in Contact List Plugin
Summary
by MITRE • 03/21/2026
The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The saveCustomFields() function in class-contact-list-custom-fields.php uses a regex to extract <iframe> tags from user input but does not validate or sanitize the iframe's attributes, allowing event handlers like 'onload' to be included. The extracted iframe HTML is stored via update_post_meta() and later rendered on the front-end in class-cl-public-card.php without any escaping or wp_kses filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-3516 affects the Contact List plugin for WordPress, specifically targeting versions up to and including 3.0.18. This represents a critical stored cross-site scripting vulnerability that exploits insufficient input sanitization and output escaping mechanisms within the plugin's handling of Google Maps iframe custom fields. The flaw exists in the core functionality that processes user-provided iframe content through the '_cl_map_iframe' parameter, creating a persistent security risk that can be exploited by authenticated attackers.
The technical implementation of this vulnerability stems from the saveCustomFields() function located in class-contact-list-custom-fields.php which employs a regular expression approach to extract <iframe> tags from user input. This method fails to properly validate or sanitize the iframe's attributes, allowing malicious actors to inject event handlers such as 'onload' directly into the iframe code. The regex extraction mechanism operates without proper attribute validation, creating a pathway for attackers to embed malicious JavaScript code within the iframe's HTML structure. This approach directly violates security principles outlined in CWE-79 which addresses cross-site scripting vulnerabilities due to insufficient input sanitization.
The operational impact of this vulnerability is significant as it allows authenticated attackers with Contributor-level access or higher to execute arbitrary web scripts on victim systems. The vulnerability creates a persistent threat because the extracted iframe HTML is stored using update_post_meta() function, meaning the malicious code becomes part of the WordPress database and executes whenever users access pages containing the injected content. The rendering occurs in class-cl-public-card.php without any escaping or wp_kses filtering, which represents a failure to implement proper output sanitization mechanisms that are fundamental to preventing XSS attacks. This attack vector enables sophisticated social engineering campaigns where attackers can redirect users to malicious sites or steal session cookies, as the vulnerability operates at the user-facing frontend level.
The security implications extend beyond simple script execution as this vulnerability can be leveraged for more advanced attack vectors including session hijacking, credential theft, and malicious redirection. Attackers can craft iframe content that triggers malicious actions when loaded, potentially executing code that monitors user interactions or redirects to phishing sites. The vulnerability's persistence through database storage means that even if the initial attack occurs during content creation, the malicious code continues to execute whenever the affected pages are accessed by any user. Organizations should consider this vulnerability in their threat modeling processes and recognize the potential for supply chain attacks if the plugin is used across multiple sites within a larger ecosystem.
Mitigation strategies should focus on immediate plugin updates to versions that address the sanitization issues, implementing proper input validation and output escaping mechanisms, and applying WordPress security hardening measures. The fix should involve comprehensive attribute validation for iframe elements, proper use of wp_kses() or similar sanitization functions, and ensuring all user-provided content undergoes appropriate security filtering before storage and rendering. Additionally, organizations should implement role-based access controls to limit the ability of low-privilege users to modify content that could be exploited for XSS attacks, and consider implementing content security policies to further protect against script execution. This vulnerability serves as a reminder of the critical importance of input validation and output escaping in web applications, particularly in content management systems where user-generated content processing is common. The ATT&CK framework would categorize this as a technique involving code injection and privilege escalation, while the vulnerability's persistence characteristics align with tactics that maintain access through stored data manipulation.