CVE-2026-1656 in Business Directory Plugin
Summary
by MITRE • 02/18/2026
The Business Directory Plugin for WordPress is vulnerable to authorization bypass due to a missing authorization check in all versions up to, and including, 6.4.20. This makes it possible for unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email addresses, by directly referencing the listing ID in crafted requests to the wpbdp_ajax AJAX action.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2026-1656 affects the Business Directory Plugin for WordPress, a widely used tool for creating and managing business listings within WordPress environments. This plugin has been found to contain a critical authorization bypass flaw that exists in all versions up to and including 6.4.20. The vulnerability stems from a fundamental missing authorization check within the plugin's code structure, specifically within the wpbdp_ajax AJAX action handler. This flaw creates a significant security gap that allows unauthorized individuals to manipulate business directory listings without proper authentication credentials.
The technical implementation of this vulnerability lies in the plugin's failure to validate user permissions before processing AJAX requests. When an attacker crafts a malicious request targeting the wpbdp_ajax endpoint, they can directly reference any listing ID within the system. This missing authorization check means that the plugin does not verify whether the requesting user has proper permissions to modify the specified listing. The vulnerability is particularly dangerous because it operates at the application level, bypassing standard WordPress authentication mechanisms that typically protect such administrative functions.
The operational impact of this authorization bypass is severe and far-reaching for organizations using the affected plugin. Unauthenticated attackers can modify arbitrary listings within the business directory, potentially changing critical information such as business titles, content descriptions, and contact email addresses. This capability enables malicious actors to defraud users by altering business information, potentially redirecting customers to fraudulent services, or spreading misinformation about legitimate businesses. The vulnerability also creates opportunities for attackers to inject malicious content or links into business listings, which can propagate through the directory and affect numerous users who rely on the directory for business information.
This vulnerability maps directly to CWE-863, which describes "Incorrect Authorization" in software systems, and aligns with several MITRE ATT&CK techniques including T1078 for valid accounts and T1566 for phishing. The attack surface is particularly concerning because it allows for persistent modifications that can remain undetected for extended periods. Organizations may not immediately discover that their business listings have been compromised, especially if the changes are subtle or if the directory is not actively monitored. The impact extends beyond simple data modification, as compromised business listings can damage brand reputation, cause customer confusion, and potentially lead to financial losses for affected businesses.
The recommended mitigation strategy involves immediate patching of the Business Directory Plugin to the latest available version that addresses this authorization bypass vulnerability. System administrators should also implement additional security measures such as monitoring AJAX endpoints for unusual traffic patterns, implementing web application firewalls to detect and block suspicious requests, and conducting regular security audits of WordPress plugins. Organizations should consider disabling unnecessary AJAX endpoints when possible and implementing proper input validation and output encoding to further reduce the attack surface. Additionally, regular security assessments of WordPress installations should include verification of plugin authorization mechanisms to prevent similar vulnerabilities from being introduced or overlooked in the future.