Executive Summary

CVE-2026-25004 is a Cross Site Scripting (XSS) vulnerability in the WordPress CM Business Directory Plugin versions up to and including 1.5.3.

This vulnerability allows a malicious actor to inject and execute malicious scripts—such as redirects, advertisements, or other HTML payloads—on websites using the affected plugin.

Exploitation requires user interaction by a privileged user (author or developer role) who must perform an action like clicking a malicious link, visiting a crafted page, or submitting a form.

The vulnerability is classified under OWASP Top 10 category A3: Injection and has a moderate severity with a CVSS score of 5.9.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can allow attackers to execute malicious scripts on your website, which may lead to unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.

However, exploitation requires interaction by a privileged user, which limits the risk to some extent.

The issue is considered low priority with no impactful threat and is unlikely to be widely exploited.

To mitigate the risk, users should update the plugin to version 1.5.4 or later.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a Stored Cross Site Scripting (XSS) issue in the CM Business Directory WordPress plugin up to version 1.5.3. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed.'}, {'type': 'paragraph', 'content': "Since exploitation requires user interaction by privileged users, monitoring for unusual script injections or unexpected HTML payloads in the plugin's input fields or stored data can help detect attempts."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources. However, common detection methods include:'}, {'type': 'list_item', 'content': 'Checking the installed plugin version via WordPress dashboard or command line (e.g., using WP-CLI: `wp plugin list`)'}, {'type': 'list_item', 'content': "Searching the database for suspicious script tags or payloads in the plugin's stored data"}, {'type': 'list_item', 'content': 'Monitoring web server logs for unusual requests or payloads targeting the plugin'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to update the CM Business Directory plugin to version 1.5.4 or later, where the vulnerability has been patched.

Additionally, users should limit privileged user interactions with untrusted content and avoid clicking suspicious links or submitting untrusted forms within the WordPress admin area.

Using security plugins or services that provide auto-updates and monitoring for vulnerable plugins can also help mitigate risks.

Useful 0 Not Useful 0