Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable authenticated code injection requiring an Editor/high-privilege role (PR:H), no user interaction, with RCE breaching the host beyond the plugin (S:C) and full C/I/A loss.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Editor Arbitrary Code Execution in Five Star Business Profile and Schema <= 2.3.19 versions.
AnalysisAI
Remote code execution in the Five Star Business Profile and Schema WordPress plugin (versions up to and including 2.3.19) allows an attacker holding an Editor-level or higher account to inject and execute arbitrary PHP code on the host. Reported by Patchstack and rated CVSS 9.1 due to its scope-changing impact, the flaw turns a trusted content role into full server compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with the Editor role (or higher) on a site running Five Star Business Profile and Schema version 2.3.19 or earlier, per the CVSS PR:H metric and the 'Editor Arbitrary Code Execution' title. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, score 9.1 Critical) describes a network-reachable, low-complexity flaw that requires high privileges (PR:H) and no user interaction, yielding full confidentiality, integrity and availability loss with scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted an Editor-level WordPress account - for example through a phished author credential or a malicious sub-user on a multi-contributor site - submits crafted input to the vulnerable plugin function, causing their PHP payload to be stored and executed on the server. With code running as the web-server user, they establish a web shell, harvest wp-config.php database credentials, and pivot to full site takeover. … |
| Remediation | Upgrade the Five Star Business Profile and Schema plugin to the first release above 2.3.19; the input data confirms all versions through 2.3.19 are vulnerable but does not specify the exact fixed version, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/business-profile/vulnerability/wordpress-five-star-business-profile-and-schema-plugin-2-3-19-arbitrary-code-execution-vulnerability) and the plugin's WordPress.org changelog for the patched build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit WordPress installations to identify Five Star Business Profile and Schema plugin at versions through 2.3.19; document all accounts with Editor or Administrator roles on affected sites. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41338
GHSA-5qwh-74pw-p44j