CM Business Directory: Stored Cross-Site Scripting in Directory Listings

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.8

CM Business Directory: Stored Cross-Site Scripting in Directory Listings

CVE-2026-25004

Summary

The CM Business Directory plugin is vulnerable to a stored cross-site scripting (XSS) attack. This means that if an attacker injects malicious code into a directory listing, it can be executed by other users who visit that listing. To fix this, update to version 1.5.4 or later.

Original title

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.This issue...

Original description

nvd CVSS3.1 4.8

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://patchstack.com/database/Wordpress/Plugin/cm-business-directory/vulnerabi...

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026