Platform
wordpress
Component
contact-manager
Fixed in
9.1.1
CVE-2026-32517 describes a Reflected Cross-Site Scripting (XSS) vulnerability within the Kleor Contact Manager plugin for WordPress. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions of Kleor Contact Manager prior to 9.1.1, and a patch has been released to address the issue.
Successful exploitation of CVE-2026-32517 enables an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can be achieved by crafting a malicious URL containing the XSS payload and tricking a user into clicking it. The attacker could then steal session cookies, redirect users to phishing sites, or deface the website. The blast radius is limited to users who interact with the vulnerable page, but the potential for widespread compromise exists if the plugin is widely used and the attack is effectively targeted. Similar XSS vulnerabilities have historically been leveraged to gain persistent access to WordPress sites.
CVE-2026-32517 was publicly disclosed on 2026-03-25. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The EPSS score is likely to be medium, given the relatively straightforward nature of Reflected XSS and the potential for widespread impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-32517 is to immediately update Kleor Contact Manager to version 9.1.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the plugin's code. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Regularly scan WordPress installations for vulnerable plugins using security scanning tools.
Update to version 9.1.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32517 is a Reflected XSS vulnerability affecting Kleor Contact Manager versions up to 9.1, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using Kleor Contact Manager version 9.1 or earlier. Upgrade to 9.1.1 to mitigate the risk.
Upgrade Kleor Contact Manager to version 9.1.1 or later. Consider input validation and output encoding as an interim measure.
No active exploitation has been confirmed at this time, but the vulnerability's nature makes it likely that exploitation attempts will occur.
Refer to the Kleor Contact Manager website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.