Stored Cross-Site Scripting Vulnerability in CM Business Directory Plugin for WordPress
CVE-2026-8892

6.4MEDIUM

What is CVE-2026-8892?

The CM Business Directory plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping. This flaw enables authenticated users with contributor-level access or higher to insert arbitrary web scripts into the Business Address Meta Fields. These scripts execute in the browsers of users visiting the affected pages. Notably, because the malicious scripts are stored in post meta instead of post content, the standard WordPress capability restriction for unfiltered HTML does not prevent contributors who lack this capability from executing harmful scripts via fields such as cmbd_address, cmbd_cityTown, cmbd_stateCounty, cmbd_postalcode, cmbd_region, and cmbd_country.

Affected Version(s)

CM Business Directory – Optimise and showcase local business 0 <= 1.5.7

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Yudha - DJ
.