Skip to main content

CM Business Directory CVE-2026-8892

| EUVDEUVD-2026-41491 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-03 Wordfence GHSA-fq8v-w9f5-mxc7
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Contributor account required (PR:L); stored payload auto-executes on page load (UI:N); scope changes to victim browsers enabling session theft (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 05:49 vuln.today
CVE Published
Jul 03, 2026 - 04:30 cve.org
MEDIUM 6.4

DescriptionCVE.org

The CM Business Directory - Optimise and showcase local business plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the malicious payload is stored in post meta rather than post_content, WordPress's unfiltered_html capability restriction does not apply, meaning contributors who lack that capability can still inject executable HTML via the address meta fields such as cmbd_address, cmbd_cityTown, cmbd_stateCounty, cmbd_postalcode, cmbd_region, and cmbd_country.

AnalysisAI

Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress contributor account
Delivery
Inject XSS payload into address meta field
Exploit
Payload persists in post meta bypassing unfiltered_html
Execution
Victim visits published business listing page
Persist
Stored script executes in victim browser
Impact
Exfiltrate session cookie to attacker server

Vulnerability AssessmentAI

Exploitation The attacker must hold an authenticated WordPress account with at minimum contributor-level access on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects low-complexity network exploitation with Scope:Changed, meaning a successful attack affects users beyond the attacker's own session - specifically enabling cookie theft, credential harvesting, or administrator session hijacking against page visitors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a contributor account on a WordPress site with open registration, navigates to the business listing submission form, and injects a JavaScript payload such as a document.cookie exfiltration script into the Address or City field. The payload is stored in post meta without sanitization; when any authenticated user - including a site administrator - views the published business listing page, the script executes in their browser, transmitting their session cookie to an attacker-controlled endpoint and enabling full account takeover.
Remediation An upstream fix has been committed to the plugin repository via WordPress Plugin Trac changeset 3590314 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590314%40cm-business-directory&new=3590314%40cm-business-directory); however, the exact patched release version number is not confirmed in the available data - verify that a version above 1.5.7 is available in the WordPress plugin directory before upgrading, and update to the latest available release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy