Cm Business Directory Optimise And Showcase Local Business
Monthly
Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though Wordfence has published full technical details including exact vulnerable code line references and an upstream fix commit.
Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though Wordfence has published full technical details including exact vulnerable code line references and an upstream fix commit.