WordPress · Cm Business Directory · CVE-2026-8892
**Name of the Vulnerable Software and Affected Versions**
CM Business Directory versions prior to 1.5.8
**Description**
Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting. This occurs when arbitrary web scripts are injected into pages via business address meta fields, which then execute when a user accesses the affected page. Because the payload is stored in post meta instead of post content, the WordPress `unfiltered html` capability restriction is bypassed. The affected variables include `cmbd address`, `cmbd cityTown`, `cmbd stateCounty`, `cmbd postalcode`, `cmbd region`, and `cmbd country`.
**Recommendations**
Update to a version newer than 1.5.7.
Restrict the use of the `cmbd address`, `cmbd cityTown`, `cmbd stateCounty`, `cmbd postalcode`, `cmbd region`, and `cmbd country` fields to trusted users only.