Business Directory
Monthly
Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated remote attackers to perform unauthorized operations against directory data, yielding limited integrity and availability impacts. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms exploitation requires no authentication, no special configuration, and no user interaction, making the attack trivially accessible to any network-reachable actor. No public exploit code and no CISA KEV listing are confirmed at time of analysis, placing current real-world exploitation risk in the moderate range.
Cross-site scripting in the Business Directory WordPress plugin (versions 6.4.22 and earlier) allows authenticated subscriber-level users to inject arbitrary JavaScript that executes in other users' browsers. The scope-change indicator in the CVSS vector (S:C) confirms the payload can cross trust boundaries - most critically, scripts injected by a low-privilege subscriber can execute in the context of a higher-privilege user such as an administrator. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated cross-site scripting in the Business Directory WordPress plugin (versions <= 6.4.22) allows remote attackers without any authentication to inject and store arbitrary JavaScript that executes in the context of a victim's browser when they visit an affected page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-accessible exploitation requiring no privileges, with a scope change indicating the payload crosses from the plugin's execution context into the victim's browser session. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated nature and low complexity lower the barrier to abuse significantly.
The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%.
Cross-Site Request Forgery (CSRF) vulnerability in Business Directory Team Business Directory Plugin - Easy Listing Directories for WordPress allows Cross-Site Request Forgery.3.10. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated remote attackers to perform unauthorized operations against directory data, yielding limited integrity and availability impacts. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms exploitation requires no authentication, no special configuration, and no user interaction, making the attack trivially accessible to any network-reachable actor. No public exploit code and no CISA KEV listing are confirmed at time of analysis, placing current real-world exploitation risk in the moderate range.
Cross-site scripting in the Business Directory WordPress plugin (versions 6.4.22 and earlier) allows authenticated subscriber-level users to inject arbitrary JavaScript that executes in other users' browsers. The scope-change indicator in the CVSS vector (S:C) confirms the payload can cross trust boundaries - most critically, scripts injected by a low-privilege subscriber can execute in the context of a higher-privilege user such as an administrator. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated cross-site scripting in the Business Directory WordPress plugin (versions <= 6.4.22) allows remote attackers without any authentication to inject and store arbitrary JavaScript that executes in the context of a victim's browser when they visit an affected page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-accessible exploitation requiring no privileges, with a scope change indicating the payload crosses from the plugin's execution context into the victim's browser session. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated nature and low complexity lower the barrier to abuse significantly.
The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%.
Cross-Site Request Forgery (CSRF) vulnerability in Business Directory Team Business Directory Plugin - Easy Listing Directories for WordPress allows Cross-Site Request Forgery.3.10. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.