Security Alert Summary
The Business Directory Plugin for WordPress contains an authorization bypass that allows unauthenticated attackers to modify listings by referencing a listing ID in crafted requests to the plugin’s AJAX action. According to the CVE entry, all versions up to and including 6.4.20 are affected.
CVE Details
- CVE ID: CVE-2026-1656
- Affected component: Business Directory Plugin for WordPress
- Affected versions: All versions up to and including 6.4.20
- Published: February 18, 2026 at 9:15:58 AM (time zone not specified)
- Last modified: February 18, 2026 at 9:15:58 AM (time zone not specified)
- CVSS v3.1: Base Score 5.3, Severity MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- User Interaction: NONE
- Scope: UNCHANGED
- Confidentiality Impact: NONE
- Integrity Impact: LOW
- Availability Impact: NONE
- Authentication / Authorization: No privileges required (unauthenticated requests can trigger the issue)
- Primary impact: Integrity (LOW) — ability to modify listing content, titles, and email addresses; Confidentiality and Availability: NONE
- Weakness (CWE): CWE-862
Technical Details
This vulnerability is an authorization bypass caused by a missing authorization check in the plugin’s code. The CVE description specifies that unauthenticated attackers can modify arbitrary listings by directly referencing the listing ID in crafted requests to the wpbdp_ajax AJAX action. Because the plugin fails to verify that the requester is authorized to modify a particular listing, the attack can change listing titles, content, and email addresses without valid credentials.
The issue exists in all versions up to and including 6.4.20, per the CVE description. The entry does not specify a fixed version within the CVE details.
How This Could Impact Your Website
On a multi-user WordPress site using the Business Directory Plugin, an unauthenticated attacker could send crafted AJAX requests to modify listings. In a realistic scenario, an external attacker modifies public listing titles or content, or substitutes email addresses with attacker-controlled addresses. This can lead to:
- Exposure of legitimate contact points being replaced, causing missed inquiries.
- Increased risk of targeted phishing or social engineering if attacker-controlled email addresses are visible to site visitors.
- Misrepresentation of businesses or staff in public listings, which can damage trust and require time to remediate.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors and other lower-privilege roles.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior, unexpected listing changes, or unknown requests to AJAX endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/business-directory-plugin/tags/6.4.20/includes/helpers/class-authenticated-listing-view.php#L20
- https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/helpers/class-authenticated-listing-view.php#L20
- https://plugins.trac.wordpress.org/changeset/3452627/business-directory-plugin/tags/6.4.21/includes/controllers/pages/class-submit-listing.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f894ce75-168c-4baa-8cae-d2e7f1a0a9ab?source=cve
