Description
Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic Cross‑Site Scripting flaw that allows an attacker to inject malicious scripts into the output of the WordPress Business Directory plugin when processed by a subscriber. If an attacker can deliver crafted input that is rendered without proper sanitization, they could hijack user sessions, deface the site, or exfiltrate data. This weakness is identified as CWE‑79.

Affected Systems

Affected are installations of the WordPress Business Directory plugin version 6.4.22 or earlier, distributed by Strategy11 Team:Business Directory. Users of these versions running WordPress sites are susceptible; any site that has this plugin installed with subscriber capabilities is potentially impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate risk, suggesting that exploitation may not be trivial but could be achieved if the plugin is not patch‑installed. The EPSS score is not available, so a precise exploitation probability cannot be stated. The vulnerability is not listed in CISA's KEV catalog, implying no known widespread attacks to date, but the lack of monitoring does not preclude future exploitation. Attackers would likely need to convince a subscriber or generate a link that forces the plugin to render unsanitized content, indicating a potential user‑interaction or authenticated path. Because the flaw is client‑side, a successful exploit would affect the victim’s browser rather than the server, but could still lead to significant user data compromise.

Generated by OpenCVE AI on June 29, 2026 at 16:24 UTC.

Remediation

Vendor Solution

Update the WordPress Business Directory Plugin to the latest available version (at least 6.4.23).


OpenCVE Recommended Actions

  • Upgrade the WordPress Business Directory plugin to version 6.4.23 or later, which removes the XSS flaw.
  • If updating is not immediately possible, disable or uninstall the outdated plugin from the WordPress site.
  • Implement Content Security Policy headers or perform additional input sanitization to prevent execution of any injected scripts if the legacy plugin remains active.

Generated by OpenCVE AI on June 29, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Strategy11team
Strategy11team business Directory Plugin
Wordpress
Wordpress wordpress
Vendors & Products Strategy11team
Strategy11team business Directory Plugin
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
Title WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Strategy11team Business Directory Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T15:51:34.682Z

Reserved: 2026-06-24T12:45:08.530Z

Link: CVE-2026-57328

cve-icon Vulnrichment

Updated: 2026-06-29T15:51:27.858Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:32Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')