CVE-2025-10178 is a stored cross-site scripting (XSS) vulnerability identified in the CM Business Directory – Optimise and showcase local business plugin for WordPress, affecting all versions up to and including 1.5.2. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'cmbd_featured_image' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and scope change due to impact on other components. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors. The lack of available patches at the time of reporting increases the urgency for administrators to apply workarounds or restrict contributor permissions. The vulnerability is cataloged under CWE-79, emphasizing the importance of proper input validation and output encoding in web applications to prevent XSS attacks.

The impact of CVE-2025-10178 on organizations worldwide can be significant, particularly for those relying on the CM Business Directory plugin within their WordPress environments. Successful exploitation allows authenticated contributors to inject persistent malicious scripts, which execute in the browsers of any users visiting the infected pages. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, defacement, or distribution of malware. The compromise of user accounts or administrative sessions can escalate into broader site control, data breaches, or reputational damage. Since the vulnerability requires contributor-level access, organizations with multiple content creators or less restrictive role management are at higher risk. The absence of known exploits currently limits immediate widespread impact, but the vulnerability's medium severity and ease of exploitation by insiders or compromised accounts make it a credible threat. Additionally, the scope of affected systems is global, given WordPress's widespread use and the plugin's availability. The vulnerability does not affect availability directly but can undermine integrity and confidentiality of site data and user information.

To mitigate CVE-2025-10178, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of patches, administrators should restrict contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. Implementing a web application firewall (WAF) with rules to detect and block suspicious script injections in shortcode parameters can provide an additional layer of defense. Site administrators should audit existing content for injected scripts, especially in pages using the 'cmbd_featured_image' shortcode, and remove any malicious code found. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Regularly monitoring logs and user activity for unusual behavior or unauthorized changes is critical. Additionally, educating contributors about safe content practices and the risks of injecting untrusted code can reduce accidental exploitation. Finally, consider isolating or disabling the vulnerable shortcode if it is not essential to site functionality until a secure version is released.