CM Business Directory – Optimise and showcase local business Security & Risk Analysis

The "cm-business-directory" plugin v1.5.5 exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and includes a reasonable number of nonce and capability checks, several areas raise concerns. The presence of 3 AJAX handlers without authentication checks presents a significant attack vector, potentially allowing unauthorized actions. Furthermore, the static analysis indicates that only 50% of outputs are properly escaped, suggesting a risk of Cross-Site Scripting (XSS) vulnerabilities, which aligns with its past vulnerability history. The taint analysis revealed one flow with unsanitized paths, which is a critical indicator of potential security flaws, even though it was not classified as critical severity.

The plugin's vulnerability history shows 3 known medium-severity CVEs, all related to Cross-Site Scripting. While none are currently unpatched, the pattern of XSS vulnerabilities, coupled with the observed unescaped outputs and unsanitized paths, indicates a recurring weakness in input validation and output sanitization. The fact that the last vulnerability was recorded in 2026-01-16 suggests that historical data might be forward-looking or based on predictions, but it still highlights past issues.

Overall, the plugin has strengths in its database interaction but weaknesses in handling external inputs and ensuring proper output sanitization. The unprotected AJAX endpoints are a pressing concern that needs immediate attention. While the absence of critical or high-severity issues in the current analysis and no unpatched CVEs are positive, the potential for XSS and unauthorized access through unprotected AJAX handlers warrants a cautious approach.