CVE-2026-25004
Stored XSS in CM Business Directory β€ 1.5.3 Allows Code Injection
Publication date: 2026-02-19
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| creativemindssolutions | cm_business_directory | to 1.5.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25004 is a Cross Site Scripting (XSS) vulnerability in the WordPress CM Business Directory Plugin versions up to and including 1.5.3.
This vulnerability allows a malicious actor to inject and execute malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβon websites using the affected plugin.
Exploitation requires user interaction by a privileged user (author or developer role) who must perform an action like clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability is classified under OWASP Top 10 category A3: Injection and has a moderate severity with a CVSS score of 5.9.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute malicious scripts on your website, which may lead to unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
However, exploitation requires interaction by a privileged user, which limits the risk to some extent.
The issue is considered low priority with no impactful threat and is unlikely to be widely exploited.
To mitigate the risk, users should update the plugin to version 1.5.4 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a Stored Cross Site Scripting (XSS) issue in the CM Business Directory WordPress plugin up to version 1.5.3. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed.'}, {'type': 'paragraph', 'content': "Since exploitation requires user interaction by privileged users, monitoring for unusual script injections or unexpected HTML payloads in the plugin's input fields or stored data can help detect attempts."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources. However, common detection methods include:'}, {'type': 'list_item', 'content': 'Checking the installed plugin version via WordPress dashboard or command line (e.g., using WP-CLI: `wp plugin list`)'}, {'type': 'list_item', 'content': "Searching the database for suspicious script tags or payloads in the plugin's stored data"}, {'type': 'list_item', 'content': 'Monitoring web server logs for unusual requests or payloads targeting the plugin'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the CM Business Directory plugin to version 1.5.4 or later, where the vulnerability has been patched.
Additionally, users should limit privileged user interactions with untrusted content and avoid clicking suspicious links or submitting untrusted forms within the WordPress admin area.
Using security plugins or services that provide auto-updates and monitoring for vulnerable plugins can also help mitigate risks.