WP-Safety

Contact List – Online Staff Directory & Address Book Security & Risk Analysis

wordpress.org/plugins/contact-list

Build a custom staff directory, address book or any kind of listing with this easy-to-use plugin.

1K active installs v3.0.18 PHP 7.2+ WP 6.0+ Updated Mar 10, 2026
address-bookbusiness-directorydirectorydirectory-pluginstaff-directory
99
A · Safe
CVEs total2
Unpatched0
Last CVEMay 9, 2024
Download
Safety Verdict

Is Contact List – Online Staff Directory & Address Book Safe to Use in 2026?

Generally Safe

Score 99/100

Contact List – Online Staff Directory & Address Book has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: May 9, 2024Updated 24d ago
Risk Assessment

The "contact-list" plugin v3.0.18 presents a mixed security posture. While it demonstrates some good practices such as a high percentage of properly escaped outputs and a decent number of nonce and capability checks, significant concerns arise from its attack surface. A notable 8 out of 15 entry points are AJAX handlers without any authentication checks, creating a broad avenue for potential unauthorized actions. Furthermore, the taint analysis reveals 6 critical flows with unsanitized paths, indicating a high risk of severe vulnerabilities like Cross-Site Scripting (XSS) or insecure direct object references if these flows are not properly handled.

The vulnerability history shows 2 known medium-severity CVEs, with the most recent being in May 2024. While there are no currently unpatched vulnerabilities, the historical presence of Missing Authorization and XSS issues, coupled with the current taint analysis findings, suggests a pattern of recurring security weaknesses that require diligent attention. The presence of the Freemius v1.0 bundled library, while not explicitly flagged as outdated, warrants monitoring for potential vulnerabilities in older versions.

In conclusion, the plugin has areas of strength, particularly in output escaping. However, the high number of unprotected AJAX handlers and the critical taint flows are significant security risks that demand immediate remediation. The historical vulnerability pattern further underscores the need for robust security practices to be consistently applied. The plugin's security can be significantly improved by implementing proper authentication and authorization checks on its exposed AJAX endpoints and thoroughly sanitizing all input involved in the identified taint flows.

Key Concerns

  • Unprotected AJAX handlers
  • Critical taint flows without sanitization
  • SQL queries with low prepared statement usage
  • Bundled outdated library (Freemius v1.0)
  • Previous medium CVEs indicating potential weaknesses
Vulnerabilities
2

Contact List – Online Staff Directory & Address Book Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-34821medium · 5.3Missing Authorization

Contact List – Easy Business Directory, Staff Directory and Address Book Plugin <= 2.9.87 - Missing Authorization to Notice Dismissal

May 9, 2024 Patched in 2.9.88 (6d)
WF-926246a7-2f0d-4472-ae0a-fa3d95e5810f-contact-listmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact List – Easy Business Directory, Staff Directory and Address Book Plugin <= 2.9.41 - Reflected Cross-Site Scripting

Aug 24, 2021 Patched in 2.9.42 (882d)
Code Analysis
Analyzed Mar 16, 2026

Contact List – Online Staff Directory & Address Book Code Analysis

Dangerous Functions
0
Raw SQL Queries
16
3 prepared
Unescaped Output
418
1246 escaped
Nonce Checks
6
Capability Checks
5
File Operations
8
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

16% prepared19 total queries

Output Escaping

75% escaped1664 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths
register_import_log_page_callback (admin\class-cl-admin-import-log.php:23)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

Contact List – Online Staff Directory & Address Book Attack Surface

Entry Points15
Unprotected8

AJAX Handlers 8

noprivwp_ajax_cl_send_mail_publicincludes\class-contact-list.php:359
authwp_ajax_cl_send_mail_publicincludes\class-contact-list.php:360
noprivwp_ajax_cl_get_contactsincludes\class-contact-list.php:362
authwp_ajax_cl_get_contactsincludes\class-contact-list.php:363
noprivwp_ajax_cl_get_contacts_simpleincludes\class-contact-list.php:364
authwp_ajax_cl_get_contacts_simpleincludes\class-contact-list.php:365
noprivwp_ajax_contact_list_search_logincludes\class-contact-list.php:368
authwp_ajax_contact_list_search_logincludes\class-contact-list.php:369

Shortcodes 7

[contact_list] public\class-cl-public.php:161
[contact_list_groups] public\class-cl-public.php:162
[contact_list_form] public\class-cl-public.php:163
[contact_list_search] public\class-cl-public.php:164
[contact_list_simple] public\class-cl-public.php:165
[contact_list_simple_groups] public\class-cl-public.php:166
[contact_list_send_email] public\class-cl-public.php:167
WordPress Hooks 55
filterconnect_messagecontact-list.php:82
filteris_submenu_visiblecontact-list.php:97
filterconnect_message_on_updatecontact-list.php:121
filtershow_deactivation_feedback_formcontact-list.php:127
filterplugin_iconcontact-list.php:132
actionafter_uninstallincludes\class-contact-list-deactivator.php:34
actionplugins_loadedincludes\class-contact-list.php:168
actionadmin_menuincludes\class-contact-list.php:202
actionsave_postincludes\class-contact-list.php:203
actiondo_meta_boxesincludes\class-contact-list.php:210
actionplugins_loadedincludes\class-contact-list.php:218
actionadmin_enqueue_scriptsincludes\class-contact-list.php:219
actionadmin_enqueue_scriptsincludes\class-contact-list.php:220
actionin_admin_headerincludes\class-contact-list.php:221
actionadmin_body_classincludes\class-contact-list.php:222
actionin_admin_footerincludes\class-contact-list.php:223
actioninitincludes\class-contact-list.php:225
filtermanage_contact_posts_columnsincludes\class-contact-list.php:227
actionmanage_contact_posts_custom_columnincludes\class-contact-list.php:233
actionrestrict_manage_postsincludes\class-contact-list.php:240
actionpre_get_postsincludes\class-contact-list.php:247
filtermanage_edit-contact_sortable_columnsincludes\class-contact-list.php:248
actioninitincludes\class-contact-list.php:250
actioncontact-group_edit_form_fieldsincludes\class-contact-list.php:256
actionedited_contact-groupincludes\class-contact-list.php:263
filtermanage_edit-contact-group_columnsincludes\class-contact-list.php:270
filtermanage_contact-group_custom_columnincludes\class-contact-list.php:271
actionplugins_loadedincludes\class-contact-list.php:279
actioninitincludes\class-contact-list.php:280
filteradmin_initincludes\class-contact-list.php:282
actionadmin_menuincludes\class-contact-list.php:284
actioncontact_list_importincludes\class-contact-list.php:285
actionadmin_menuincludes\class-contact-list.php:293
actionadmin_menuincludes\class-contact-list.php:295
actionadmin_menuincludes\class-contact-list.php:297
actionadmin_menuincludes\class-contact-list.php:299
actionadmin_menuincludes\class-contact-list.php:301
actionadmin_menuincludes\class-contact-list.php:303
actionadmin_menuincludes\class-contact-list.php:305
actionadmin_menuincludes\class-contact-list.php:306
actionadmin_initincludes\class-contact-list.php:307
actionadmin_menuincludes\class-contact-list.php:309
actionadmin_menuincludes\class-contact-list.php:311
actionadmin_noticesincludes\class-contact-list.php:313
actionadmin_initincludes\class-contact-list.php:319
filterwp_insert_post_dataincludes\class-contact-list.php:321
actionadmin_menuincludes\class-contact-list.php:332
actionwp_enqueue_scriptsincludes\class-contact-list.php:350
actionwp_enqueue_scriptsincludes\class-contact-list.php:351
actionwp_enqueue_scriptsincludes\class-contact-list.php:352
actionwp_enqueue_scriptsincludes\class-contact-list.php:353
actioninitincludes\class-contact-list.php:354
actionrest_api_initincludes\class-contact-list.php:355
actionenqueue_block_assetsincludes\class-contact-list.php:356
actioninitincludes\class-contact-list.php:357
Maintenance & Trust

Contact List – Online Staff Directory & Address Book Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 10, 2026
PHP min version7.2
Downloads77K

Community Trust

Rating96/100
Number of ratings18
Active installs1K
Alternatives

Contact List – Online Staff Directory & Address Book Alternatives

Business Directory Plugin – Easy Listing Directories for WordPress

Business Directory Plugin – Easy Listing Directories for WordPress

business-directory-plugin

B
82

The easy Business Directory Plugin for WordPress. Build an easy team directory, member directory, staff directory, church directory, and more.

10K 16 CVEs
Employee Directory – Staff Directory and Listing

Employee Directory – Staff Directory and Listing

employee-staff-directory

A
99

WordPress Employee Directory plugin builds Employee directory, Member/Staff directory, Employee listings & displays the Staff list [24/7 SUPPORT]

20 1 CVE
Directorist: AI-Powered Business Directory, Listings & Classified Ads

Directorist: AI-Powered Business Directory, Listings & Classified Ads

directorist

D
39

Build any type of directory website such as a business directory, job directory, classifieds directory, and more with this WordPress directory plugin.

20K 2 unpatched
Classified Listing – AI-Powered Classified ads & Business Directory Plugin

Classified Listing – AI-Powered Classified ads & Business Directory Plugin

classified-listing

A
88

A Classified ads and Business Directory plugin for WordPress, to create classified listing, real estate directory, local business directory, and more.

10K 15 CVEs
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

geodirectory

B
82

A superb WordPress Business Directory plugin to create a local business directory, classified ads directory, or job listings board.

10K 16 CVEs
Developer Profile

Contact List – Online Staff Directory & Address Book Developer Profile

Anssi Laitila

2 plugins · 5K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
272 days
View full developer profile
Detection Fingerprints

How We Detect Contact List – Online Staff Directory & Address Book

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-list/css/admin.css/wp-content/plugins/contact-list/css/frontend.css/wp-content/plugins/contact-list/js/admin.js/wp-content/plugins/contact-list/js/frontend.js
Script Paths
/wp-content/plugins/contact-list/js/admin.js/wp-content/plugins/contact-list/js/frontend.js
Version Parameters
contact-list/css/admin.css?ver=contact-list/css/frontend.css?ver=contact-list/js/admin.js?ver=contact-list/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
cl-contact-list-wrappercl-contact-list-itemcl-contact-list-namecl-contact-list-emailcl-contact-list-phonecl-contact-list-addresscl-contact-list-websitecl-contact-list-notes+2 more
Data Attributes
data-contact-list-id
JS Globals
ContactListFrontend
REST Endpoints
/wp-json/contact-list/v1/contacts
Shortcode Output
[contact-list]
FAQ

Frequently Asked Questions about Contact List – Online Staff Directory & Address Book