Issue Description

XSS in WordPress plugin Chamber Dashboard Business Directory.


User entered input which contains HTML/JS is not properly encoded on output, resulting in XSS.

Affected versions

Tested on version 3.2.8 (latest)


Enter payload into affected field (phone field in this example) and update company profile.

In WordPress admin choose Businesses -> All Businesses and entered payload is executed :)

Previous example was around phone field, because this is displayed in directory listing and therefore can be used as attack vector with less clicks requried from admin.

Other vulnerable fields include:

  • Country
  • State
  • Social media url
  • E-mail
  • City
  • Zip
  • Address
  • Location
  • Hours

CVE-2020-24699 was issued