Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kleor Contact Manager contact-manager allows Reflected XSS.This issue affects Contact Manager: from n/a through <= 9.1.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of user input when generating web pages in the Contact Manager plugin. Attackers can embed malicious scripts in URLs or form inputs that are reflected in the response, allowing them to execute JavaScript in the context of users who view the page. This can lead to page defacement, cookie theft, or other client‑side attacks.

Affected Systems

This flaw is present in all releases of Kleor Contact Manager up to version 9.1. The plugin is available for WordPress sites and is used by any site that has installed the contact‑manager plugin before the reported release. The affected product is the Contact Manager plugin distributed by Kleor.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity, and the absence of an EPSS score merely indicates that the exploitation probability is not publicly quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting that it is not a known exploited vulnerability, but reflected XSS is a well‑known attack vector that can be leveraged through crafted URLs over the network. Due to its client‑side nature, the attack requires user interaction, but once triggered, the attacker gains code execution within the victim’s browser.

Generated by OpenCVE AI on March 25, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Contact Manager plugin to the latest version available from Kleor that removes the vulnerability.
  • If an update cannot be applied immediately, disable or remove the Contact Manager plugin from the WordPress installation to eliminate the vulnerable code.
  • Consider implementing server‑side input sanitization or a web application firewall to filter malformed inputs and mitigate the impact of the vulnerability.

Generated by OpenCVE AI on March 25, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Kleor
Kleor contact Manager
Wordpress
Wordpress wordpress
Vendors & Products Kleor
Kleor contact Manager
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kleor Contact Manager contact-manager allows Reflected XSS.This issue affects Contact Manager: from n/a through <= 9.1.
Title WordPress Contact Manager plugin <= 9.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Kleor Contact Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:13:18.514Z

Reserved: 2026-03-12T11:12:13.807Z

Link: CVE-2026-32517

cve-icon Vulnrichment

Updated: 2026-03-25T20:03:37.128Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:04.313

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:27Z

Weaknesses