CVE-2025-48162

Vulnerability

Overview The Simple Business Directory Pro plugin for WordPress versions up to and including 15.5.1 suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. The flaw exists in the plugin's handling of user-supplied data, which fails to sanitize or escape input before embedding it in output pages. This allows an attacker to craft a malicious link that, when followed by an authenticated user, executes arbitrary HTML and JavaScript in the context of the victim's browser session.

Exploitation

Requirements Exploitation requires the victim to have at least some level of privilege (e.g., a subscriber or higher role) and to interact with a specially crafted URL, such as by clicking a link or visiting a crafted page [1]. The attacker does not need direct network access to the server but must trick an authenticated user into triggering the payload. Reflected XSS typically relies on social engineering to lure victims into clicking the malicious link, which then reflects the injected script back from the vulnerable web application.

Impact and

Risks Successful exploitation could allow an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which would be executed when any visitor accesses the affected site [1]. This can lead to session hijacking, defacement, or theft of sensitive information. The vulnerability is considered moderately dangerous and is expected to become part of mass-exploit campaigns, targeting thousands of websites regardless of their traffic or popularity [1].

Mitigation

Status The vendor has released version 15.5.2, which resolves the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, a mitigation rule from Patchstack can block attacks until the patch is applied [1]. The CVSS v3 score is 7.1 (High), and user interaction is required for exploitation.