Impact
The vulnerability is a classic Cross‑Site Scripting flaw that allows an attacker to inject malicious scripts into the output of the WordPress Business Directory plugin when processed by a subscriber. If an attacker can deliver crafted input that is rendered without proper sanitization, they could hijack user sessions, deface the site, or exfiltrate data. This weakness is identified as CWE‑79.
Affected Systems
Affected are installations of the WordPress Business Directory plugin version 6.4.22 or earlier, distributed by Strategy11 Team:Business Directory. Users of these versions running WordPress sites are susceptible; any site that has this plugin installed with subscriber capabilities is potentially impacted.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate risk, suggesting that exploitation may not be trivial but could be achieved if the plugin is not patch‑installed. The EPSS score is not available, so a precise exploitation probability cannot be stated. The vulnerability is not listed in CISA's KEV catalog, implying no known widespread attacks to date, but the lack of monitoring does not preclude future exploitation. Attackers would likely need to convince a subscriber or generate a link that forces the plugin to render unsanitized content, indicating a potential user‑interaction or authenticated path. Because the flaw is client‑side, a successful exploit would affect the victim’s browser rather than the server, but could still lead to significant user data compromise.
OpenCVE Enrichment