Skip to main content

Contact Manager EUVDEUVD-2026-15878

| CVE-2026-32517 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-frpx-5qp6-94rm
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15878
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kleor Contact Manager contact-manager allows Reflected XSS.This issue affects Contact Manager: from n/a through <= 9.1.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Kleor Contact Manager through version 9.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects the Contact Manager plugin and can be exploited via reflected XSS attacks where user input is improperly neutralized during web page generation. An attacker can craft a malicious URL containing JavaScript payloads that execute in the victim's browser, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or active KEV status is currently available; however, the confirmed presence of the vulnerability through Patchstack indicates a legitimate security concern requiring immediate attention.

Technical ContextAI

The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application flaw where user-supplied input is reflected in HTTP responses without proper encoding or sanitization. The Kleor Contact Manager plugin (CPE: cpe:2.3:a:kleor:contact_manager:*:*:*:*:*:*:*:*) fails to properly escape or validate input parameters before rendering them in HTML context, allowing attackers to break out of the intended context and inject arbitrary JavaScript. This occurs in the reflected XSS variant, meaning the malicious payload is processed server-side and immediately reflected to the client without persistent storage, but remains exploitable through crafted URLs. The underlying issue is insufficient input validation and output encoding mechanisms within the Contact Manager's request handling and template rendering logic.

RemediationAI

Upgrade Kleor Contact Manager to a patched version once released by the vendor; check Patchstack's vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/contact-manager/vulnerability/wordpress-contact-manager-plugin-9-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for the availability of security updates and the minimum safe version. If immediate patching is not possible, implement server-side input validation and output encoding for all user-supplied parameters, particularly those reflected in HTML responses; consider deploying a Web Application Firewall (WAF) with XSS detection rules to filter malicious payloads. Additionally, enforce Content Security Policy (CSP) headers with strict script-src policies to mitigate the impact of injected scripts, and educate users to avoid clicking on suspicious links or URLs from untrusted sources. Monitor contact-manager plugin activity logs for signs of XSS exploitation attempts.

Share

EUVD-2026-15878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy