Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Subscriber auth required (PR:L), victim must view payload (UI:R), scope changes to other users' browsers (S:C); availability impact not supported by typical stored XSS mechanics.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
AnalysisAI
Cross-site scripting in the Business Directory WordPress plugin (versions 6.4.22 and earlier) allows authenticated subscriber-level users to inject arbitrary JavaScript that executes in other users' browsers. The scope-change indicator in the CVSS vector (S:C) confirms the payload can cross trust boundaries - most critically, scripts injected by a low-privilege subscriber can execute in the context of a higher-privilege user such as an administrator. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid subscriber-level WordPress account on the target site - subscriber registration must be enabled (WordPress Setting: Membership > Anyone can register). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 6.5 with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L places this in the medium-high tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on the target WordPress site, then submits a business directory listing containing a crafted JavaScript payload in a field that lacks proper output encoding. When a site administrator reviews or approves pending submissions - a routine administrative task - the stored script executes in the administrator's browser session, potentially exfiltrating the admin's authentication cookies or silently triggering privileged actions such as creating a new admin account. … |
| Remediation | The primary fix is to update the Business Directory Plugin beyond version 6.4.22 via the WordPress dashboard (Plugins > Updates) or by downloading directly from the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Business Directory
View allThe Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.
Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated rem
Unauthenticated cross-site scripting in the Business Directory WordPress plugin (versions <= 6.4.22) allows remote attac
Cross-Site Request Forgery (CSRF) vulnerability in Business Directory Team Business Directory Plugin - Easy Listing Dire
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40099
GHSA-mfg7-q8ff-25x2