CVE-2025-10178 is a stored Cross-Site Scripting (XSS) vulnerability affecting the CM Business Directory plugin for WordPress, developed by creativemindssolutions. This vulnerability exists in all versions up to and including 1.5.2 of the plugin. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the 'cmbd_featured_image' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions within the context of the victim's browser session. The vulnerability does not require user interaction beyond visiting the injected page and does not require elevated privileges beyond contributor access, which is commonly granted to users who can submit content but not publish it. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impact on confidentiality and integrity but no impact on availability. No known public exploits have been reported yet, and no patches are linked in the provided data, indicating that mitigation may require manual updates or vendor intervention. The vulnerability affects the confidentiality and integrity of data processed by the affected WordPress sites, potentially enabling attackers to steal sensitive information or manipulate site content and user sessions.

For European organizations using WordPress sites with the CM Business Directory plugin, this vulnerability poses a significant risk to the confidentiality and integrity of their web platforms. Stored XSS can lead to session hijacking, defacement, or unauthorized actions performed on behalf of legitimate users, which can damage reputation, lead to data breaches, or facilitate further attacks such as privilege escalation or lateral movement within the organization. Given that contributor-level access is sufficient for exploitation, insider threats or compromised contributor accounts can be leveraged to inject malicious scripts. This risk is particularly acute for businesses relying on the plugin to showcase local businesses, as attackers could manipulate listings or steal user data. The lack of known exploits in the wild currently reduces immediate risk, but the medium CVSS score and the ease of exploitation suggest that attackers may develop exploits soon. European organizations must be vigilant, especially those in sectors with high web presence or regulatory requirements around data protection (e.g., GDPR), as exploitation could lead to compliance violations and financial penalties.

1. Immediate mitigation involves restricting contributor-level access to trusted users only, implementing strict user account management and monitoring for suspicious activity. 2. Apply input validation and output encoding manually if possible by customizing the shortcode or filtering inputs through security plugins that sanitize user inputs. 3. Monitor for updates from creativemindssolutions and apply patches promptly once available. 4. Employ Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the affected shortcode parameters. 5. Conduct regular security audits and penetration testing focusing on user-generated content areas. 6. Educate contributors about the risks of uploading untrusted content and enforce content review workflows before publishing. 7. Use Content Security Policy (CSP) headers to restrict script execution sources, limiting the impact of injected scripts. 8. Implement multi-factor authentication (MFA) for all user accounts to reduce the risk of compromised credentials being used to exploit the vulnerability.