CVE-2025-68887
Published: 08 January 2026
Summary
CVE-2025-68887 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-68887 is an improper neutralization of input during web page generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79. It affects the WP-BusinessDirectory plugin for WordPress, developed by CMSJunkie under the wp-businessdirectory name, in all versions from n/a through 4.0.1.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Unauthenticated attackers can exploit it remotely by tricking victims into interacting with crafted input reflected in web pages, achieving low impacts on confidentiality, integrity, and availability with a changed scope.
Patchstack documents this issue in its vulnerability database for the WP-BusinessDirectory plugin, accessible at https://patchstack.com/database/Wordpress/Plugin/wp-businessdirectory/vulnerability/wordpress-wp-businessdirectory-plugin-3-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1508
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 4.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS directly enables browser session hijacking and web session cookie theft after a victim clicks a crafted link; also maps to exploitation of a public-facing web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to block unneutralized reflected XSS payloads from being processed and echoed in responses.
Requires output filtering/encoding so that any untrusted data reflected into web pages cannot execute as script.
Enforces information flow rules that can restrict untrusted input from being directly reflected into generated web content without mediation.