CVE Catalog
CVE-2026-57328
MediumCVSS 6.5Summary
The Business Directory plugin version 6.4.22 and earlier is vulnerable to Cross Site Scripting (XSS) from a subscriber level. An authenticated subscriber can inject malicious JavaScript code.
Risk Assessment
An attacker with subscriber role can steal other users' sessions, redirect them to malicious sites, or alter admin panel content, leading to data confidentiality and integrity breaches.
Recommendation
Immediately update the Business Directory plugin to version 6.4.23 or later, which includes a fix for the XSS vulnerability.
Original NVD description (English source)
Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.

