CVE-2026-32517

Vulnerability

Overview

The WordPress Contact Manager plugin (versions up to and including 9.1) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a page, which is then reflected back to the victim's browser.

Exploitation

Prerequisites

Exploitation requires a privileged user (such as an administrator) to perform an action like clicking a crafted link, visiting a specially prepared page, or submitting a malicious form [1]. The attacker does not need prior authentication but must trick the target user into interacting with the malicious payload. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's session. This can be used to redirect users to malicious sites, display unwanted advertisements, steal session cookies, or perform other actions that compromise the integrity of the website and its visitors [1].

Mitigation

The vendor has released version 9.1.1 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule that blocks attacks until the patch is applied [1]. Auto-update features can also be enabled for vulnerable plugins to ensure timely protection.