What the vulnerability does
01Description
Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
CVE-2026-57326
MEDIUM
CVE-2026-57326: WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability
CVSS base score
6.5/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Business Directory versions up to 6.4.22 contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into the application. An attacker can craft a malicious link or page that, when visited by a site user, executes arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or defacement. The vulnerability affects the application's scope, meaning the impact may extend beyond the vulnerable component itself.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in a user's browser to steal session cookies, credentials, or perform actions on their behalf.
Potential impact on your site
04Site Impact
Site users visiting malicious links could have their sessions compromised or personal data stolen; your site's reputation may be damaged if used to distribute malware.
Conditions required to exploit
05Prerequisites
A site user must visit a malicious link or page crafted by the attacker; no authentication or special privileges required.
Key dates
06Disclosure timeline
June 29, 2026
CVE published
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2017-2601
CVE-2026-57333 WordPress Link Whisper Free plugin <= 0.9.4 - Reflected Cross Site Scripting (XSS) vulnerability
CVE-2026-48880 WordPress WP Job Portal plugin <= 2.5.2 - Cross Site Scripting (XSS) vulnerability
CVE-2026-2502 xmlrpc attacks blocker <= 1.0 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For'
CVE-2025-46786 Zoom Workplace Apps - Cross-site Scripting
