Stored Cross-Site Scripting Vulnerability in CM Business Directory Plugin for WordPress
CVE-2026-8892
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 July 2026
What is CVE-2026-8892?
The CM Business Directory plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping. This flaw enables authenticated users with contributor-level access or higher to insert arbitrary web scripts into the Business Address Meta Fields. These scripts execute in the browsers of users visiting the affected pages. Notably, because the malicious scripts are stored in post meta instead of post content, the standard WordPress capability restriction for unfiltered HTML does not prevent contributors who lack this capability from executing harmful scripts via fields such as cmbd_address, cmbd_cityTown, cmbd_stateCounty, cmbd_postalcode, cmbd_region, and cmbd_country.
Affected Version(s)
CM Business Directory β Optimise and showcase local business 0 <= 1.5.7