Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Contributor account required (PR:L); stored payload auto-executes on page load (UI:N); scope changes to victim browsers enabling session theft (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The CM Business Directory - Optimise and showcase local business plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the malicious payload is stored in post meta rather than post_content, WordPress's unfiltered_html capability restriction does not apply, meaning contributors who lack that capability can still inject executable HTML via the address meta fields such as cmbd_address, cmbd_cityTown, cmbd_stateCounty, cmbd_postalcode, cmbd_region, and cmbd_country.
AnalysisAI
Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold an authenticated WordPress account with at minimum contributor-level access on the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects low-complexity network exploitation with Scope:Changed, meaning a successful attack affects users beyond the attacker's own session - specifically enabling cookie theft, credential harvesting, or administrator session hijacking against page visitors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a contributor account on a WordPress site with open registration, navigates to the business listing submission form, and injects a JavaScript payload such as a document.cookie exfiltration script into the Address or City field. The payload is stored in post meta without sanitization; when any authenticated user - including a site administrator - views the published business listing page, the script executes in their browser, transmitting their session cookie to an attacker-controlled endpoint and enabling full account takeover. |
| Remediation | An upstream fix has been committed to the plugin repository via WordPress Plugin Trac changeset 3590314 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590314%40cm-business-directory&new=3590314%40cm-business-directory); however, the exact patched release version number is not confirmed in the available data - verify that a version above 1.5.7 is available in the WordPress plugin directory before upgrading, and update to the latest available release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41491
GHSA-fq8v-w9f5-mxc7