cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forcm-business-directory cm-business-directory

Direction: ascending
Nov 27, 2024

CM Business Directory Plugin – Business Listing Directory # CVE-2024-11202

CVE, Research URL

CVE-2024-11202

Home page URL

Security reports for CM Business Directory Plugin – Business Listing Directory

Application

CM Business Directory Plugin – Business Listing Directory

Date
Nov 26, 2024
Research Description
CM Business Directory Plugin &#8211; Business Listing Directory [cm-business-directory] < 1.4.2 CVE-2024-11202 [en] Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 1.4.2.
Status
vulnerable
Feb 19, 2025

CM Business Directory Plugin &#8211; Business Listing Directory # CVE-2025-24758

CVE, Research URL

CVE-2025-24758

Home page URL

Security reports for CM Business Directory Plugin &#8211; Business Listing Directory

Application

CM Business Directory Plugin &#8211; Business Listing Directory

Date
Mar 03, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations allows Reflected XSS. This issue affects CM Map Locations: from n/a through 2.0.8.
Affected versions
max 1.4.0.
Status
vulnerable
Nov 10, 2025

CM Business Directory Plugin &#8211; Business Listing Directory # CVE-2025-10178

CVE, Research URL

CVE-2025-10178

Home page URL

Security reports for CM Business Directory Plugin &#8211; Business Listing Directory

Application

CM Business Directory Plugin &#8211; Business Listing Directory

Date
Sep 26, 2025
Research Description
The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.5.3.
Status
vulnerable