The vulnerability is a stored cross‑site scripting (XSS) flaw that allows an attacker to inject malicious script code into the CM Business Directory plugin. When the input is later rendered in the web page, the script executes in the context of visitors’ browsers, potentially enabling theft of session cookies, credential logging, or other client‑side attacks. The flaw is identified as CWE‑79 and is rated with a CVSS score of 4.8, indicating a moderate impact within the affected environment.

CreativeMindsSolutions CM Business Directory plugin versions up to and including 1.5.3 are affected. The issue exists in all releases from the earliest available version through version 1.5.3.

The CVSS score of 4.8 reflects the potential for information disclosure and client‑side compromise, but the EPSS score of less than 1% suggests that active exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to exploit the flaw by submitting malicious input via the plugin’s interface, which is then stored and displayed to site users. Because the stored payload runs from the website, any user who views the affected content will be at risk. The lack of a published patch sequence means administrators should promptly review updates or mitigate risk through disabling or restricting the plugin.