The vulnerability in quantumcloud Simple Business Directory Pro allows attackers to inject and execute arbitrary JavaScript in a victim’s web browser. The flaw results from improper input sanitization during web page generation, enabling reflected XSS that can steal user credentials, hijack sessions, or spread malware. The weakness is a classic Cross‑Site Scripting error as identified by CWE‑79. The impact is confined to the user’s session when the malicious payload is delivered via the plugin’s output.

WordPress sites running Simple Business Directory Pro version 15.5.1 or earlier. No other product or vendor is listed as affected under the current CNA data.

The CVSS score of 7.1 indicates a medium‑to‑high severity vulnerability. The EPSS score of less than 1% shows a very low probability of real‑world exploitation at this time, and the issue is not listed in the CISA KEV catalog. The likely attack vector is a reflected XSS scenario where an attacker crafts a URL or form that a user must visit or submit. Successful exploitation requires an active user with access to the affected page and can result in theft of browser‑side data or session hijacking, but it does not provide remote code execution or system compromise.