CVE-2026-2576 in Business Directory Plugin Plugin
Summary
by MITRE • 02/18/2026
The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'payment' parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/18/2026
The Business Directory Plugin for WordPress represents a widely used solution for creating and managing online business directories, with the vulnerable version 6.4.2 exposing a critical time-based SQL injection flaw that affects all users of this plugin. This vulnerability stems from inadequate input sanitization and parameter handling within the plugin's codebase, specifically targeting the 'payment' parameter that processes user-supplied data without proper escaping mechanisms. The flaw exists at the application layer where user inputs are directly incorporated into SQL queries without appropriate preparation or validation, creating an exploitable entry point for malicious actors.
The technical exploitation of this vulnerability occurs through time-based SQL injection techniques where attackers can manipulate the 'payment' parameter to inject malicious SQL code that executes against the underlying database. The vulnerability lacks proper input validation and parameter binding, allowing attackers to append additional SQL statements to existing queries that can extract sensitive information from the database through timing variations in query execution. This type of injection attack leverages the database's response time to infer information about the underlying data structure and contents, making it particularly dangerous as it can operate without requiring direct output display from the database.
The operational impact of this vulnerability extends beyond simple data extraction to potentially enable full database compromise, allowing attackers to access user credentials, business information, financial records, and other sensitive data stored within the WordPress installation. The lack of authentication requirements for exploitation means that any user with access to the affected plugin's endpoint can attempt to exploit this vulnerability, making it particularly dangerous for public-facing websites. This vulnerability directly maps to CWE-89 which describes improper neutralization of special elements used in an SQL command, and aligns with ATT&CK technique T1213.002 for data from information repositories, representing a significant risk to business directory operators and their customers.
Mitigation strategies for this vulnerability require immediate patching of the plugin to version 6.4.3 or later, which addresses the SQL injection flaw through proper input sanitization and parameter preparation. System administrators should implement input validation controls at the web application firewall level to detect and block suspicious SQL injection patterns targeting the affected parameter. Database access controls should be reviewed to ensure least privilege principles are applied, limiting the potential impact of successful exploitation. Additionally, monitoring for unusual database query patterns and implementing intrusion detection systems can help identify exploitation attempts. Organizations should also consider implementing application-level security controls such as prepared statements and parameterized queries to prevent similar vulnerabilities in other components of their WordPress installations. The vulnerability demonstrates the critical importance of proper input validation and parameter handling in web applications, particularly when dealing with database interactions that process user-supplied data.