CVE-2026-3516

Name of the Vulnerable Software and Affected Versions Contact List plugin for WordPress versions prior to 3.0.19

Description The Contact List plugin for WordPress is susceptible to Stored Cross-Site Scripting through the cl map iframe parameter. Insufficient input sanitization and output escaping when handling the Google Maps iframe custom field allows for the injection of malicious scripts. The saveCustomFields() function in the class-contact-list-custom-fields.php file extracts iframe tags using a regular expression but fails to validate or sanitize the iframe's attributes, enabling the inclusion of event handlers like 'onload'. The extracted iframe HTML is stored using the update post meta() function and subsequently rendered on the front-end in class-cl-public-card.php without proper escaping or filtering. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the affected page.

Recommendations Update the Contact List plugin to version 3.0.19 or later.