CVE-2026-3178 – The Name Directory WordPress plugin has a store... (How to Fix)

Q: What is the severity of CVE-2026-3178?

CVE-2026-3178 has a CVSS score of 7.2 (HIGH). The Name Directory WordPress plugin has a stored cross-site scripting vulnerability in the 'name_directory_name' parameter that allows unauthenticated attackers to inject malicious scripts. When users view pages containing the injected content, the scripts execute in their browsers. All WordPress sites using Name Directory plugin versions up to 1.32.1 are affected.

📋 TL;DR

The Name Directory WordPress plugin has a stored cross-site scripting vulnerability in the 'name_directory_name' parameter that allows unauthenticated attackers to inject malicious scripts. When users view pages containing the injected content, the scripts execute in their browsers. All WordPress sites using Name Directory plugin versions up to 1.32.1 are affected.

💻 Affected Systems

Products:

WordPress Name Directory Plugin

Versions: All versions up to and including 1.32.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the plugin's name entry functionality which is typically accessible to users with appropriate permissions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, perform phishing attacks, or deface website content visible to visitors.

🟢

If Mitigated

With proper web application firewalls and content security policies, script execution could be blocked, limiting impact to visual defacement only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves simple script injection into the name parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.32.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3478625

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Name Directory plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository.

🔧 Temporary Workarounds

Disable Name Directory Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate name-directory

Implement Content Security Policy

all

Add CSP headers to prevent script execution from untrusted sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");

🧯 If You Can't Patch

Remove the Name Directory plugin entirely and use alternative directory solutions
Implement strict web application firewall rules to block XSS payloads in the name_directory_name parameter

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Name Directory → Version number. If version is 1.32.1 or earlier, you are vulnerable.

Check Version:

wp plugin get name-directory --field=version

Verify Fix Applied:

After updating, verify version is higher than 1.32.1. Test name entry functionality with basic script payloads like <script>alert('test')</script> to ensure sanitization works.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to admin.php with script tags in parameters
Multiple failed XSS attempts in web server logs
Suspicious user agent strings containing script payloads

Network Indicators:

HTTP requests containing <script> tags in name_directory_name parameter
Unusual spikes in traffic to name directory pages

SIEM Query:

source="web_logs" AND ("name_directory_name" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))

📊 Metadata

CVE ID: CVE-2026-3178

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: March 11, 2026

Last Updated: March 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3178, you might also want to check these: