CVE-2025-10178

The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.5.2. The vulnerability exists in the 'cmbd_featured_image' shortcode, which does not sufficiently sanitize user-supplied attributes or escape output, allowing attackers to inject arbitrary web scripts [1].

To exploit this vulnerability, an attacker must be authenticated with at least contributor-level access. By crafting a malicious attribute in the shortcode, the attacker can inject JavaScript that becomes stored on the page. When other users, including administrators, view the affected page, the injected script executes in the context of their browser [1].

Successful exploitation could allow an attacker to perform actions like stealing session cookies, defacing the site, redirecting users to malicious sites, or performing actions on behalf of the victim. The impact is limited by the contributor role requirement, but any user with that role could potentially compromise the site [1].

As of the publication date, no patch is mentioned. Users are advised to update the plugin to the latest available version once a fix is released, and to restrict contributor-level access to trusted users only [1].