CVE-2025-48162: 
WordPress vulnerability analysis and mitigation

The Simple Business Directory Pro WordPress plugin contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-48162) affecting all versions up to and including 15.5.1. The vulnerability was discovered by João Pedro Soares de Alcântara and was publicly disclosed on July 23, 2025 (Rapid7, Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's web page generation process. It has been assigned a CVSS score of 6.1 (Medium) according to Wordfence, while Patchstack rates it at 7.1. The vulnerability falls under the OWASP Top 10 category A3: Injection (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject arbitrary web scripts into pages that execute when users interact with them. This could lead to potential redirects, unauthorized advertisements, and execution of other malicious HTML payloads on the affected websites (Patchstack).

The vulnerability has been patched in version 15.5.2 of the Simple Business Directory Pro plugin. Website administrators are advised to update to version 15.5.2 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).