CVE-2025-10178 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2025-10178?

CVE-2025-10178 has a CVSS score of 6.4 (MEDIUM). This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages using the CM Business Directory plugin's 'cmbd_featured_image' shortcode. The scripts execute whenever users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using CM Business Directory plugin versions 1.5.2 and earlier are affected.

📋 TL;DR

This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages using the CM Business Directory plugin's 'cmbd_featured_image' shortcode. The scripts execute whenever users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using CM Business Directory plugin versions 1.5.2 and earlier are affected.

💻 Affected Systems

Products:

CM Business Directory WordPress Plugin

Versions: All versions up to and including 1.5.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Contributor-level or higher user access is needed for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, take full control of the WordPress site, install backdoors, and compromise visitor data through session hijacking or malware distribution.

🟠

Likely Case

Site defacement, cookie/session theft from visitors, redirection to malicious sites, or injection of cryptocurrency miners.

🟢

If Mitigated

Limited to authenticated users only, with minimal impact if proper user access controls and content security policies are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access (contributor role or higher) and knowledge of WordPress shortcode usage. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.5.2

Vendor Advisory: https://wordpress.org/plugins/cm-business-directory/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'CM Business Directory' and check if update is available. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download latest version from WordPress plugin repository and replace plugin files.

🔧 Temporary Workarounds

Disable Contributor Role Access

all

Temporarily restrict contributor-level users from creating or editing posts until patch is applied.

Remove Shortcode Usage

all

Identify and remove all instances of 'cmbd_featured_image' shortcode from posts and pages.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from unauthorized sources
Install Web Application Firewall (WAF) with XSS protection rules and regularly audit user-generated content

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins. If CM Business Directory version is 1.5.2 or earlier, the system is vulnerable.

Check Version:

wp plugin list --name='CM Business Directory' --field=version (if WP-CLI is installed)

Verify Fix Applied:

After updating, verify plugin version is higher than 1.5.2 in WordPress admin panel. Test shortcode functionality to ensure proper sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests containing 'cmbd_featured_image' shortcode with script tags
Multiple failed login attempts followed by successful contributor-level login

Network Indicators:

Outbound connections to unknown domains from WordPress pages
Unexpected JavaScript payloads in HTTP responses

SIEM Query:

source="wordpress.log" AND ("cmbd_featured_image" AND ("script" OR "javascript" OR "onerror"))

📊 Metadata

CVE ID: CVE-2025-10178

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (18.4th percentile)

Published: September 26, 2025

Last Updated: September 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10178, you might also want to check these: