{"id":42347,"date":"2026-04-12T02:00:54","date_gmt":"2026-04-12T02:00:54","guid":{"rendered":"http:\/\/localhost\/?p=42347"},"modified":"2026-04-12T02:00:54","modified_gmt":"2026-04-12T02:00:54","slug":"wordpress-contact-list-3017-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=42347","title":{"rendered":"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667"},"content":{"rendered":"

{“lastseen”:”2026-04-10T17:15:23″,”description”:”WordPress Contact List plugin versions 3.0.17 and below suffer from a persistent cross site scripting vulnerability…”,”published”:”2026-04-10T00:00:00″,”modified”:”2026-04-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218667″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-3516″],”sourceData”:”# CVE-2026-3516: Authenticated Stored Cross-Site Scripting (XSS) in Contact List Plugin\\n \\n \\u003e **Disclaimer:** This repository is created for **educational purposes and ethical disclosure only**. The vulnerability has been responsibly reported to the vendor and patched. Do not use this information to exploit systems without proper authorization.\\n \\n ## Summary\\n A **Stored Cross-Site Scripting (XSS)** vulnerability was discovered in the **Contact List – Online Staff Directory \\u0026 Address Book** plugin for WordPress (versions \\u003c= 3.0.17). This vulnerability allows authenticated users with **Author** privileges or higher the inject malicious JavaScript into contact cards via a hidden custom field.\\n \\n When the contact card is rendered on the public-facing directory, the injected payload executes in the browser of any visitor. If an Administrator views the page, this flaw can be escalated to full Account Takeover (ATO) and site compromise.\\n \\n ## Vulnerability Overview\\n * **CVE ID:** CVE-2026-3516\\n * **Product:** Contact List (WordPress Plugin)\\n * **Affected Versions:** `\\u003c= 3.0.17`\\n * **Vulnerability Type:** Stored Cross-Site Scripting (XSS) (CWE-79)\\n * **Required Privileges:** Authenticated (Author or higher)\\n \\n ## Technical Deep Dive \\u0026 Root Cause\\n The vulnerability stems from improper sanitization and unsafe output handling of the `_cl_map_iframe` custom field, which is intended to embed map iframes.\\n \\n **1. Insecure Data Storage:**\\n In `includes\/class-contact-list-custom-fields.php` (inside `saveCustomFields()`), the plugin processes the `_cl_map_iframe` input using a regular expression to extract an “\\u003ciframe\\u003e“ block. However, it fails to apply a strict allowlist or sanitization function (like `wp_kses_post()`) before saving the data to the database using `update_post_meta()` (lines ~679-697).\\n \\n **2. Unsafe Frontend Rendering:**\\n In `public\/class-cl-public-card.php` (lines ~456-468), the plugin retrieves the stored `_cl_map_iframe` value and appends it directly to the output HTML. Because the output is neither escaped nor sanitized, any injected event handlers (e.g., `onload`, `onerror`) within the iframe tag are executed by the victim’s browser.\\n \\n \\n ## Business Impact\\n * **Account Takeover (ATO):** If an Administrator visits the infected contact list page, the malicious script can execute actions on their behalf, such as creating rogue admin accounts or modifying site settings.\\n * **Data Theft:** The XSS payload can silently steal session cookies or local storage tokens from visitors.\\n * **Requtation Damage:** Attackers can redirect users to phishing sites or deface the public directory, destroying visitor trust.\\n \\n ## Proof of Concept (PoC)\\n \\n ### Prerequisites\\n 1. WordPress with Contact List (\\u003c= 3.0.17) Installed.\\n 2. A published page containing the `[contact_list]` shortcode.\\n 3. Attacker logged in with an **Author** account.\\n \\n ### Exploitation Steps\\n 1. Log in as the **Author**.\\n 2. Navigate to **Contacts -\\u003e Add New** (`\/wp-admin\/post-new.php?post_type=contact`).\\n 3. Fill in the required contact details to prepare for publishing.\\n 4. Using a proxy like Burp Suite, intercept the `POST` request sent to `\/wp-admin\/post.php`.\\n 5. Append the malicious payload to the request body:\\n `_cl_map_iframe=\\u003ciframe src=’about:blank’ onload=’alert(\\”XSS_By_CVE-2026-3516\\”)’\\u003e\\u003c\/iframe\\u003e`\\n 6. Forward the request. The server stores the malicious iframe.\\n 7. **Trigger:** Visit the public directory page where `[contact_list]` is embedded. The alert box will trigger immediately, confirming code execution.\\n \\n ### Example Malicious HTTP Request\\n “`http\\n POST \/wp-admin\/post.php HTTP\/1.1\\n Host: TARGET\\n Content-Type: application\/x-www-form-urlencoded\\n Cookie: [Author_Session_Cookies]\\n \\n post_title=Hacked+Contact\\u0026post_type=contact\\u0026action=editpost\\u0026_cl_map_iframe=\\u003ciframe src=’about:blank’ onload=’alert(\\”XSS\\”)’\\u003e\\u003c\/iframe\\u003e\\n “`\\n \\n ## Remediation\\n To patch this vulnerability, the plugin developers must:\\n 1. **Sanitize Input:** Use `wp_kses()` with a strict array of allowed HTML tags and attributes when saving `_cl_map_iframe`. Disallow attributes like `onload`, `onerror`, or `javascript:` URIs.\\n 2. **Escape Output:** Ensure all user-supplied data retrieved from the database is properly escaped before rendering it to the DOM.\\n \\n ## Timeline\\n \\n * **Date (2026-03-03):** Reported to Wordfence.\\n * **Date (2026-03-20):** Vulnerability patched \/ Public disclosure.\\n \\n ## References \\u0026 Credits\\n * [Wordfence Vulnerability Database](https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/id\/a8059995-55cb-49ee-add1-f5364d0772eb)\\n * [CVE-2026-3516 on NVD](https:\/\/www.cve.org\/CVERecord?id=CVE-2026-3516)\\n * [Contact List Plugin on WordPress.org](https:\/\/wordpress.org\/plugins\/contact-list\/)”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218667″,”cvss”:{“score”:6.4,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218667\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-04-10T17:15:23″,”description”:”WordPress Contact List plugin versions 3.0.17 and below suffer from a persistent cross site scripting vulnerability…”,”published”:”2026-04-10T00:00:00″,”modified”:”2026-04-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218667″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-3516″],”sourceData”:”# CVE-2026-3516: Authenticated…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,46,12,21,13,53,7,11,5],"class_list":["post-42347","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-64","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=42347\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-04-10T17:15:23″,”description”:”WordPress Contact List plugin versions 3.0.17 and below suffer from a persistent cross site scripting vulnerability…”,”published”:”2026-04-10T00:00:00″,”modified”:”2026-04-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218667″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-3516″],”sourceData”:”# CVE-2026-3516: Authenticated...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=42347\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-12T02:00:54+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42347#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42347\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667\",\"datePublished\":\"2026-04-12T02:00:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42347\"},\"wordCount\":869,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-6.4\",\"exploit\",\"MEDIUM\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=42347#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42347\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42347\",\"name\":\"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-04-12T02:00:54+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42347#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=42347\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42347#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=42347","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667 - zero redgem","og_description":"{“lastseen”:”2026-04-10T17:15:23″,”description”:”WordPress Contact List plugin versions 3.0.17 and below suffer from a persistent cross site scripting vulnerability…”,”published”:”2026-04-10T00:00:00″,”modified”:”2026-04-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218667″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-3516″],”sourceData”:”# CVE-2026-3516: Authenticated...","og_url":"https:\/\/zero.redgem.net\/?p=42347","og_site_name":"zero redgem","article_published_time":"2026-04-12T02:00:54+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=42347#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=42347"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667","datePublished":"2026-04-12T02:00:54+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=42347"},"wordCount":869,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-6.4","exploit","MEDIUM","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=42347#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=42347","url":"https:\/\/zero.redgem.net\/?p=42347","name":"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-04-12T02:00:54+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=42347#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=42347"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=42347#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 WordPress Contact List 3.0.17 Cross Site Scripting_PACKETSTORM:218667"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/42347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=42347"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/42347\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=42347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=42347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=42347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}