📄 WordPress Contact List 3.0.17 Cross Site Scripting

# CVE-2026-3516: Authenticated Stored Cross-Site Scripting (XSS) in Contact List Plugin
    
    > **Disclaimer:** This repository is created for **educational purposes and ethical disclosure only**. The vulnerability has been responsibly reported to the vendor and patched. Do not use this information to exploit systems without proper authorization.
    
    ## Summary
    A **Stored Cross-Site Scripting (XSS)** vulnerability was discovered in the **Contact List - Online Staff Directory & Address Book** plugin for WordPress (versions <= 3.0.17). This vulnerability allows authenticated users with **Author** privileges or higher the inject malicious JavaScript into contact cards via a hidden custom field.
    
    When the contact card is rendered on the public-facing directory, the injected payload executes in the browser of any visitor. If an Administrator views the page, this flaw can be escalated to full Account Takeover (ATO) and site compromise.
    
    ## Vulnerability Overview
    * **CVE ID:** CVE-2026-3516
    * **Product:** Contact List (WordPress Plugin)
    * **Affected Versions:** `<= 3.0.17`
    * **Vulnerability Type:** Stored Cross-Site Scripting (XSS) (CWE-79)
    * **Required Privileges:** Authenticated (Author or higher)
    
    ## Technical Deep Dive & Root Cause
    The vulnerability stems from improper sanitization and unsafe output handling of the `_cl_map_iframe` custom field, which is intended to embed map iframes.
    
    **1. Insecure Data Storage:**
    In `includes/class-contact-list-custom-fields.php` (inside `saveCustomFields()`), the plugin processes the `_cl_map_iframe` input using a regular expression to extract an ``<iframe>`` block. However, it fails to apply a strict allowlist or sanitization function (like `wp_kses_post()`) before saving the data to the database using `update_post_meta()` (lines ~679-697).
    
    **2. Unsafe Frontend Rendering:**
    In `public/class-cl-public-card.php` (lines ~456-468), the plugin retrieves the stored `_cl_map_iframe` value and appends it directly to the output HTML. Because the output is neither escaped nor sanitized, any injected event handlers (e.g., `onload`, `onerror`) within the iframe tag are executed by the victim's browser.
    
    
    ## Business Impact
    * **Account Takeover (ATO):** If an Administrator visits the infected contact list page, the malicious script can execute actions on their behalf, such as creating rogue admin accounts or modifying site settings.
    * **Data Theft:** The XSS payload can silently steal session cookies or local storage tokens from visitors.
    * **Requtation Damage:** Attackers can redirect users to phishing sites or deface the public directory, destroying visitor trust.
    
    ## Proof of Concept (PoC)
    
    ### Prerequisites
    1. WordPress with Contact List (<= 3.0.17) Installed.
    2. A published page containing the `[contact_list]` shortcode.
    3. Attacker logged in with an **Author** account.
    
    ### Exploitation Steps
    1. Log in as the **Author**.
    2. Navigate to **Contacts -> Add New** (`/wp-admin/post-new.php?post_type=contact`).
    3. Fill in the required contact details to prepare for publishing.
    4. Using a proxy like Burp Suite, intercept the `POST` request sent to `/wp-admin/post.php`.
    5. Append the malicious payload to the request body:
       `_cl_map_iframe=<iframe src='about:blank' onload='alert("XSS_By_CVE-2026-3516")'></iframe>`
    6. Forward the request. The server stores the malicious iframe.
    7. **Trigger:** Visit the public directory page where `[contact_list]` is embedded. The alert box will trigger immediately, confirming code execution.
    
    ### Example Malicious HTTP Request
    ```http
    POST /wp-admin/post.php HTTP/1.1
    Host: TARGET
    Content-Type: application/x-www-form-urlencoded
    Cookie: [Author_Session_Cookies]
    
    post_title=Hacked+Contact&post_type=contact&action=editpost&_cl_map_iframe=<iframe src='about:blank' onload='alert("XSS")'></iframe>
    ```
    
    ## Remediation
    To patch this vulnerability, the plugin developers must:
    1. **Sanitize Input:** Use `wp_kses()` with a strict array of allowed HTML tags and attributes when saving `_cl_map_iframe`. Disallow attributes like `onload`, `onerror`, or `javascript:` URIs.
    2. **Escape Output:** Ensure all user-supplied data retrieved from the database is properly escaped before rendering it to the DOM.
    
    ## Timeline
    
    * **Date (2026-03-03):** Reported to Wordfence.
    * **Date (2026-03-20):** Vulnerability patched / Public disclosure.
    
    ## References & Credits
    * [Wordfence Vulnerability Database](https://www.wordfence.com/threat-intel/vulnerabilities/id/a8059995-55cb-49ee-add1-f5364d0772eb)
    * [CVE-2026-3516 on NVD](https://www.cve.org/CVERecord?id=CVE-2026-3516)
    * [Contact List Plugin on WordPress.org](https://wordpress.org/plugins/contact-list/)