{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25004", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.104Z", "datePublished": "2026-02-19T08:26:51.689Z", "dateUpdated": "2026-04-28T16:14:53.062Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cm-business-directory", "product": "CM Business Directory", "vendor": "CreativeMindsSolutions", "versions": [{"changes": [{"at": "1.5.4", "status": "unaffected"}], "lessThanOrEqual": "1.5.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Arif Shaikh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:40.268Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.<p>This issue affects CM Business Directory: from n/a through <= 1.5.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.This issue affects CM Business Directory: from n/a through <= 1.5.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:53.062Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cm-business-directory/vulnerability/wordpress-cm-business-directory-plugin-1-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress CM Business Directory plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T18:59:43.265263Z", "id": "CVE-2026-25004", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T20:08:25.333Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25004", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T18:59:43.265263Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T18:08:42.541Z"}}], "cna": {"title": "WordPress CM Business Directory plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Arif Shaikh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CreativeMindsSolutions", "product": "CM Business Directory", "versions": [{"status": "affected", "changes": [{"at": "1.5.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.5.3"}], "packageName": "cm-business-directory", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:40.268Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/cm-business-directory/vulnerability/wordpress-cm-business-directory-plugin-1-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.This issue affects CM Business Directory: from n/a through <= 1.5.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.<p>This issue affects CM Business Directory: from n/a through <= 1.5.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.605Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25004", "state": "PUBLISHED", "dateUpdated": "2026-04-27T20:08:25.333Z", "dateReserved": "2026-01-28T09:50:57.104Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:51.689Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.This issue affects CM Business Directory: from n/a through <= 1.5.3."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en CreativeMindsSolutions CM Business Directory cm-business-directory permite XSS Almacenado. Este problema afecta a CM Business Directory: desde n/a hasta &lt;= 1.5.3."}], "id": "CVE-2026-25004", "lastModified": "2026-04-27T21:16:26.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-19T09:16:14.210", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cm-business-directory/vulnerability/wordpress-cm-business-directory-plugin-1-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "CM Business Directory", "source": "cna", "vendor": "CreativeMindsSolutions"}, "product": "cm_business_directory", "vendor": "creativemindssolutions"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:43:58.090776+00:00", "value": {"mitigation_remediation": ["Update CM Business Directory to a version newer than 1.5.3 when an official patch is released.", "If a later version is unavailable, consider disabling the plugin or removing it entirely from the site.", "As an interim measure, restrict the plugin\u2019s input capabilities to administrators only to limit the attack surface."], "summary": {"action": "Assess Impact", "impact": "Cross-site scripting (XSS)"}, "threat_synthesis": {"affected_systems": "CreativeMindsSolutions CM Business Directory plugin versions up to and including 1.5.3 are affected. The issue exists in all releases from the earliest available version through version 1.5.3.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting (XSS) flaw that allows an attacker to inject malicious script code into the CM Business Directory plugin. When the input is later rendered in the web page, the script executes in the context of visitors\u2019 browsers, potentially enabling theft of session cookies, credential logging, or other client\u2011side attacks. The flaw is identified as CWE\u201179 and is rated with a CVSS score of 5.9, indicating a moderate impact within the affected environment.", "risk_and_exploitability": "The CVSS score of 5.9 reflects the potential for information disclosure and client\u2011side compromise, but the EPSS score of less than 1% suggests that active exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to exploit the flaw by submitting malicious input via the plugin\u2019s interface, which is then stored and displayed to site users. Because the stored payload runs from the website, any user who views the affected content will be at risk. The lack of a published patch sequence means administrators should promptly review updates or mitigate risk through disabling or restricting the plugin."}}}}, "created": "2026-02-20T10:11:09.483878+00:00", "updated": "2026-04-28T17:45:16.144131+00:00", "vendors": ["creativemindssolutions", "creativemindssolutions$PRODUCT$cm_business_directory", "wordpress", "wordpress$PRODUCT$wordpress"]}