CVE-2025-10178 in CM Business Directory Plugin
Summary
by MITRE • 09/26/2025
The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/26/2025
The CM Business Directory plugin for WordPress presents a critical security vulnerability classified as stored cross-site scripting in versions up to and including 1.5.2. This weakness stems from inadequate input sanitization and output escaping mechanisms within the plugin's cmbd_featured_image shortcode implementation. The vulnerability affects authenticated attackers who possess contributor-level privileges or higher, enabling them to execute malicious code through crafted input parameters that persist in the application's database. The stored nature of this vulnerability means that malicious scripts are not limited to a single request but remain embedded within the system and execute whenever affected pages are accessed by any user with appropriate permissions. This represents a significant threat to WordPress installations that rely on the CM Business Directory plugin for business directory functionality, as it allows attackers to potentially compromise user sessions, steal sensitive information, or redirect users to malicious websites.
The technical flaw manifests specifically within the plugin's handling of user-supplied attributes passed to the cmbd_featured_image shortcode. When administrators or contributors with sufficient privileges create or modify content using this shortcode, the plugin fails to properly sanitize or escape the input parameters before storing them in the database. This insufficient validation allows malicious payloads to be injected through shortcode attributes such as image URLs, custom parameters, or other configurable options. The vulnerability operates under CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output escaping. The flaw represents a classic case of improper neutralization of input during web page generation, where the application fails to properly escape dynamic content before rendering it to end users. The security implications extend beyond simple script execution as this vulnerability can be leveraged for session hijacking, data theft, or even privilege escalation within the WordPress environment.
The operational impact of this vulnerability extends far beyond simple code injection, creating a persistent threat vector that can affect multiple users within a WordPress installation. Any user who accesses a page containing the maliciously injected shortcode will automatically execute the stored script, potentially leading to widespread compromise of user accounts and sensitive data exposure. The vulnerability is particularly dangerous because it requires only contributor-level access, which is often granted to trusted users who may not be fully security-aware. This means that even legitimate users with moderate privileges can inadvertently create security risks for the entire site. The attack surface is further expanded by the fact that business directory plugins are commonly used in environments where multiple users contribute content, making the potential for exploitation more likely. This vulnerability directly aligns with ATT&CK technique T1566.001 which covers "Phishing with Social Engineering" and T1584.001 which covers "Compromise of Third-Party Applications" as attackers can leverage this vulnerability to compromise the WordPress platform through legitimate user contributions.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the stored XSS flaw, as this represents the most effective solution to prevent exploitation. Organizations should implement strict input validation and output escaping mechanisms for all user-supplied content, particularly within shortcode implementations. Regular security audits of WordPress plugins should include verification of input sanitization practices and output escaping routines to prevent similar vulnerabilities from emerging. Network monitoring solutions should be configured to detect suspicious script injection patterns and anomalous user behavior that might indicate exploitation attempts. Additionally, implementing role-based access controls that limit contributor privileges to essential functions only can reduce the potential impact of such vulnerabilities. Security teams should also consider implementing content security policies that restrict script execution and prevent unauthorized code injection, while maintaining regular patch management procedures to ensure all WordPress components remain up-to-date with security fixes. The vulnerability serves as a reminder of the importance of input validation and output escaping practices in web application security, particularly for plugins that handle user-generated content and dynamic shortcode parameters.