External risk intelligence

Five Star Business Profile and Schema Arbitrary Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-27436

The vulnerability affects a WordPress plugin, which is part of a web application. While these are commonly internet-facing, this specific vulnerability requires administrative privileges to exploit, meaning it is not directly reachable by unauthenticated internet users and typical deployment patterns often restrict administrative access to internal or VPN-only networks.

Code Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability found in a business profile and schema plugin for a popular content management system. The flaw allows for arbitrary code execution, meaning an attacker could potentially run their own code on affected systems. The primary concern is confirming if this plugin is in use and if administrative access to those systems is appropriately secured.

  • Plugin allows unauthorized code execution.
  • Leadership concern: confirm plugin use and access.
  • Assess relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

A user with administrative privileges could exploit this vulnerability by submitting a specially crafted input. This input would target the vulnerable component within the Five Star Business Profile and Schema plugin. Successful exploitation could lead to the execution of arbitrary code on the affected system.

  • Requires administrative access.
  • Submitting malicious input triggers it.
  • Risk of arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability exists in the Five Star Business Profile and Schema plugin that could allow an authenticated attacker with administrative privileges to execute arbitrary code on the server. This could potentially impact the integrity and availability of the affected website and its data.

  • Arbitrary code execution on the server.
  • Exploited via authenticated administrative access.
  • Compromise of website integrity and data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Five Star Business Profile and Schema plugin likely requires action from application owners and potentially infrastructure or security teams to confirm its presence and assess risk. The first practical step is to identify all instances of this plugin, determine if they are exposed to the internet or used in critical business processes, and then locate the accountable owner for remediation planning.

  • Application owners should manage this issue.
  • Verify plugin reachability and business criticality.
  • Plan remediation based on confirmed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Five Star Business Profile and Schema plugin?

This software is a WordPress plugin used to manage business directory listings and structured data markup, which helps websites display business information clearly in search results. It functions within the content management system to dynamically generate and serve profile pages and schema metadata to site visitors.

What does arbitrary code execution mean for CVE-2026-27436?

This CVE involves CWE-94, or Improper Control of Generation of Code. In plain terms, it means the plugin fails to properly validate inputs, allowing a user to inject and run their own commands on the server. If successful, this effectively gives the attacker control over the underlying system where the website is hosted.

How is this vulnerability triggered?

To trigger the flaw, an attacker must have administrative privileges within the WordPress environment. They would submit specially crafted input to the plugin's interface, causing the server to execute unintended code. Crucially, this cannot be triggered by an anonymous visitor or a standard guest user who lacks elevated administrative access.

Is my site at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a 'Possible' risk. While the plugin is often part of internet-facing web applications, the requirement for administrative privileges provides a critical layer of protection. This means the risk is significantly lower if you restrict administrative access to internal networks or VPNs rather than allowing open internet access.

What should I do if I use this plugin?

Start by auditing your WordPress environment to identify if you are running version 2.3.19 or earlier of the Five Star Business Profile and Schema plugin. Once identified, evaluate the criticality of the site and confirm that administrative access is strictly controlled. Coordinate with your technical team to plan for updates or necessary configuration changes.

References