CVE-2026-57326
Received Received - Intake

Unauthenticated Cross Site Scripting in Business Directory

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Patchstack

Description
Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-57326
EUVD
EUVD-2026-40097

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
patchstack business_directory to 6.4.22 (inc)
patchstack business_directory_plugin to 6.4.23 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress Business Directory Plugin, versions 6.4.22 and earlier, is vulnerable to a Cross Site Scripting (XSS) attack. This means attackers can inject malicious scripts into the website, which execute when visitors access the site.

The vulnerability is classified as medium priority with a CVSS score around 6.1 to 6.5, indicating moderate danger. Exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a form.

Injected scripts can include redirects or advertisements, potentially compromising the website's integrity and user experience.

Impact Analysis

This vulnerability can lead to attackers injecting malicious scripts that execute in the context of your website, potentially redirecting visitors to harmful sites or displaying unwanted advertisements.

Such attacks can damage your website's reputation, degrade user trust, and may lead to further exploitation if attackers gain additional access.

Because exploitation requires a privileged user to interact with malicious content, social engineering or phishing tactics might be used to trigger the attack.

Mitigation Strategies

The vulnerability in the WordPress Business Directory Plugin versions 6.4.22 and earlier can be mitigated by updating the plugin to version 6.4.23 or later, where the issue is patched.

Until the update is applied, it is advised to implement the mitigation rule issued by Patchstack to block attacks targeting this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57326. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart