CVE-2026-3516 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the Contact List – Online Staff Directory & Address Book WordPress plugin (slug: contact-list) in versions up to and including 3.0.18. It allows an authenticated user with at least Contributor privileges to store malicious script-capable markup in a custom field used for a Google Maps iframe, which can then run in other users’ browsers when the affected content is viewed.

Attack Vectors

This issue is exploitable by a user who can log in to WordPress and create or edit content that uses the Contact List plugin’s custom fields (for many organizations, that means Contributors, Editors, and above—or any compromised account with those rights).

The vulnerable entry point is the plugin’s Google Maps iframe custom field (the _cl_map_iframe parameter). An attacker can embed an iframe with unsafe attributes (for example, event handlers) so that the payload is stored in the database and later executed when staff directory entries or related pages are rendered for other viewers.

Because this is stored XSS, it can affect multiple visitors over time—especially internal users who regularly access staff directories (marketing, HR, operations, executives) and may have elevated privileges or access to sensitive dashboards.

Security Weakness

The root cause is insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The plugin extracts <iframe> tags from user-provided input but does not adequately validate or sanitize the iframe’s attributes before storing and later displaying the resulting HTML.

As documented, the plugin’s handling of this field allows unsafe attributes (including event handlers such as onload) to persist. In business terms: the plugin accepts and re-displays more “active content” than it should, creating an opportunity for scripts to run in the context of your site.

Remediation: Update the Contact List plugin to version 3.0.19 or a newer patched version. Track the official record at CVE-2026-3516 and the published advisory source at Wordfence.

Technical or Business Impacts

Brand and trust risk: Stored XSS can be used to deface pages, inject unwanted content, or redirect visitors—damaging brand perception, reducing conversion rates, and undermining campaign performance.

Account takeover and internal risk: If a payload runs in the browser of an administrator or editor, it may be used to perform actions on their behalf (for example, changing site settings, creating new admin users, or planting additional backdoors). Even when direct takeover isn’t achieved, session disruption and unauthorized actions can create operational downtime.

Data exposure and compliance risk: The CVSS vector indicates low confidentiality and integrity impact, but in real-world scenarios XSS is often leveraged to access sensitive content visible to the victim (staff contact details, internal-only pages, customer or partner information) and to manipulate what users see. This can trigger incident response costs and compliance reporting considerations, depending on your data environment and jurisdiction.

Recommended business actions: Beyond patching, review who has Contributor access, remove unnecessary accounts, and audit recent changes to staff directory entries or custom fields. Consider adding additional safeguards such as a web application firewall (WAF) and routine plugin vulnerability monitoring as part of your change-management process.

Similar Attacks

MySpace “Samy” worm (2005): a well-known stored XSS incident that spread rapidly by persisting malicious code in user profiles, demonstrating how stored XSS can scale quickly when embedded in commonly viewed pages.

WordPress core stored XSS in comments (CVE-2015-3440): a documented example showing how stored XSS in a mainstream publishing workflow can put administrators and editors at risk when they view affected content.