Vulnerabilities ›

CVE-2026-1866

High

CWE-79 — Weakness Type

                    Published: Feb 10, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling `html_entity_decode()` before `wp_kses()`, and then calling `html_entity_decode()` again on output. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the 'name_directory_name' and 'name_directory_description' parameters in the public submission form granted they can trick the site administrator into approving their submission or auto-publish is enabled.

🤖 AI Executive Summary

The Name Directory WordPress plugin versions up to 1.32.0 contain a Stored Cross-Site Scripting vulnerability due to improper double HTML-entity encoding in sanitization functions. Unauthenticated attackers can inject malicious scripts through public submission forms that execute when users access affected pages.

📄 Description (Arabic)

تحتوي إضافة Name Directory لـ WordPress على ثغرة Stored XSS تنتج عن استدعاء دالة html_entity_decode() قبل wp_kses() ثم استدعاؤها مرة أخرى عند الإخراج. يمكن للمهاجمين غير المصرحين حقن نصوص برمجية عشوائية عبر نماذج الإرسال العام في معاملات 'name_directory_name' و 'name_directory_description'.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 9, 2026 04:02

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1598 T1566

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update the Name Directory plugin to version 1.32.1 or later immediately. Disable auto-publish functionality for submissions if not required. Implement strict content moderation by reviewing all pending submissions before approval. Consider using Web Application Firewall (WAF) rules to detect and block XSS payloads in submission parameters.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Name Directory إلى الإصدار 1.32.1 أو أحدث فوراً. عطّل وظيفة النشر التلقائي للمساهمات إن لم تكن مطلوبة. طبّق مراجعة صارمة للمحتوى بفحص جميع المساهمات المعلقة قبل الموافقة عليها. استخدم قواعد جدار الحماية لتطبيقات الويب لكشف وحجب حمولات XSS.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

7.1 7.2 7.3

🔵 SAMA CSF

ID.GV-1 PR.DS-1 DE.CM-1

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5

🔗 References & Sources 5

🔗

https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/helpers.php#L604

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/shortcode.php#L193

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/name-directory/tags/1.31.0/shortcode.php#L41

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset/3455023/name-directory/trunk?contextall=1&...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/29d13457-ac60-4e3d-9d8b-0141e...

security@wordfence.com

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-79

EPSS0.12%

Exploit No

Patch ✓ Yes

Published 2026-02-10

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-1866

💬 Comments

Introduce Yourself

Sign In Required