CVE-2026-8892 in CM Business Directory Plugininfo

Summary

by MITRE • 07/03/2026

The CM Business Directory – Optimise and showcase local business plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the malicious payload is stored in post meta rather than post_content, WordPress's unfiltered_html capability restriction does not apply, meaning contributors who lack that capability can still inject executable HTML via the address meta fields such as cmbd_address, cmbd_cityTown, cmbd_stateCounty, cmbd_postalcode, cmbd_region, and cmbd_country.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability exists within the CM Business Directory plugin for WordPress, specifically affecting versions through 1.5.7, where stored cross-site scripting flaws have been identified in the business address meta fields. The technical flaw stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or encode user-supplied data before it is stored in the database and subsequently rendered on web pages. Attackers with contributor-level privileges or higher can exploit this weakness by injecting malicious scripts into the address metadata fields, including cmbd_address, cmbd_cityTown, cmbd_stateCounty, cmbd_postalcode, cmbd_region, and cmbd_country, which are all susceptible to this type of injection attack.

The operational impact of this vulnerability is significant as it allows authenticated attackers to execute arbitrary web scripts in the context of any user who accesses pages containing the injected content. Unlike typical XSS vulnerabilities that might be limited to post_content fields where WordPress's unfiltered_html capability restriction would prevent contributors from injecting executable HTML, this flaw specifically targets meta fields where such restrictions do not apply. This means that even users without explicit unfiltered_html capabilities can still inject malicious payloads through these address meta fields, creating a broader attack surface than typical contributor-level vulnerabilities might suggest.

The vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws occurring when user-provided data is improperly escaped or validated before being rendered in web pages. This particular instance represents a stored XSS variant where malicious code persists in the database and executes whenever affected pages are accessed, making it particularly dangerous as the payload remains active until manually removed from the meta fields. The attack vector operates through the WordPress meta field system which bypasses the standard content filtering mechanisms that normally protect against such injections, creating a persistent threat that can affect any user who views pages containing compromised address metadata.

Mitigation strategies should include immediate patching to version 1.5.8 or later where this vulnerability has been addressed through proper input sanitization and output escaping implementations for all affected meta fields. System administrators should also consider implementing additional security measures such as role-based access controls that limit the ability of contributors to modify meta fields, along with regular monitoring of database entries for suspicious script content. Organizations should conduct thorough audits of their WordPress installations to identify any other plugins that may be susceptible to similar vulnerabilities, particularly those handling user-provided metadata. The ATT&CK framework classification would place this under T1546.001 for 'Registry Run Keys / Startup Folder' if the malicious scripts attempt persistence, though the primary concern here is the stored XSS execution which falls under T1203 for 'Exploitation for Client Execution' and T1059.007 for 'Command and Scripting Interpreter: JavaScript' as the injected code executes within user browsers through standard scripting mechanisms.

Responsible

Wordfence

Reservation

05/18/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00212

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!