Plattform
wordpress
Komponente
contact-manager
Behoben in
9.1.1
CVE-2026-32517 describes a Reflected Cross-Site Scripting (XSS) vulnerability present in Kleor Contact Manager. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions of Kleor Contact Manager prior to 9.1.1 and has been resolved with the release of version 9.1.1.
Successful exploitation of CVE-2026-32517 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can be achieved by crafting a malicious URL containing the XSS payload and tricking a user into clicking it. The attacker could then steal session cookies, redirect the user to a phishing site, or modify the content of the web page. The blast radius is limited to users who interact with the vulnerable page, but the potential impact on individual users can be significant, including unauthorized access to sensitive information and account compromise. This type of XSS vulnerability is particularly dangerous because it can be easily spread through social engineering techniques.
CVE-2026-32517 was publicly disclosed on 2026-03-25. No known public proof-of-concept exploits are currently available, but the ease of exploitation for reflected XSS vulnerabilities suggests a moderate risk of exploitation. The EPSS score is likely to be assessed as medium due to the relatively straightforward nature of the attack and the potential for widespread impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Websites using the Kleor Contact Manager plugin, particularly those running older versions (prior to 9.1.1), are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "contact-manager" /var/www/html/wp-content/plugins/
wp plugin list | grep contact-manager• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-32517 is to upgrade Kleor Contact Manager to version 9.1.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on all user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Aktualisieren Sie auf Version 9.1.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32517 is a Reflected XSS vulnerability affecting Kleor Contact Manager versions up to 9.1, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using Kleor Contact Manager version 9.1 or earlier. Upgrade to 9.1.1 to mitigate the risk.
Upgrade Kleor Contact Manager to version 9.1.1 or later. Consider input validation and output encoding as an interim measure.
No active exploitation has been confirmed at this time, but the vulnerability's nature makes it likely that exploitation attempts will occur.
Refer to the Kleor Contact Manager website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.