CVE Catalog

CVE-2026-57328

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Summary

The Business Directory plugin version 6.4.22 and earlier is vulnerable to Cross Site Scripting (XSS) from a subscriber level. An authenticated subscriber can inject malicious JavaScript code.

Risk Assessment

An attacker with subscriber role can steal other users' sessions, redirect them to malicious sites, or alter admin panel content, leading to data confidentiality and integrity breaches.

Recommendation

Immediately update the Business Directory plugin to version 6.4.23 or later, which includes a fix for the XSS vulnerability.

Original NVD description (English source)

Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS