CVE-2026-1866

Name of the Vulnerable Software and Affected Versions Name Directory plugin for WordPress versions prior to 1.32.1

Description The Name Directory plugin for WordPress is susceptible to Stored Cross-Site Scripting due to double HTML-entity encoding. The plugin’s sanitization function calls html entity decode() before wp kses(), and then calls html entity decode() again on output. This allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page through the name directory name and name directory description parameters in the public submission form, provided the attacker can convince the site administrator to approve the submission or if auto-publish is enabled.

Recommendations Update the Name Directory plugin to version 1.32.1 or later.