We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Business Directory Plugin 6 Easy Listing Directories for WordPress (CVE-2026-2576)

Nick Paliughi
On this page

Security Alert Summary

The Business Directory Plugin 6 Easy Listing Directories for WordPress contains a time-based SQL injection vulnerability in the payment parameter. According to the CVE entry, insufficient escaping and lack of proper preparation of an existing SQL query allow unauthenticated attackers to append additional SQL statements and extract sensitive data from the database.

CVE Details

  • CVE ID: CVE-2026-2576
  • Affected plugin / component: Business Directory Plugin 6 Easy Listing Directories for WordPress (WordPress plugin)
  • Affected versions: All versions up to, and including, 6.4.2
  • Published: February 18, 2026 at 5:16:29 AM UTC
  • Last modified: February 18, 2026 at 5:16:29 AM UTC
  • CVSS v3.1: Base Score 7.5, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Authentication / privileges / user interaction: No authentication required; privileges required: None; user interaction: None
  • Primary impact: Confidentiality: High; Integrity: None; Availability: None
  • CWE / weakness: CWE-89 (SQL Injection)
  • Fixed version: Not specified in the CVE entry

Technical Details

The vulnerability is a time-based SQL injection triggered via the payment parameter. The CVE description states the issue is caused by insufficient escaping of user-supplied input combined with a lack of proper preparation on an existing SQL query. This allows an unauthenticated attacker to append additional SQL queries to an existing query, enabling extraction of sensitive information from the database by observing time-based responses.

The CVE references include code locations that relate to the vulnerable processing, for example files referenced in the plugin repository paths such as includes/controllers/pages/class-checkout.php and includes/db/class-db-query-set.php. These references indicate where query handling and input processing occur in the plugin, and where insufficient escaping or preparation may be present.

The impact, as stated in the CVE, is limited to data exposure (confidentiality). There is no CVE-provided indication of integrity or availability impacts beyond that data disclosure risk.

How This Could Impact Your Website

In a realistic scenario, a site owner runs the Business Directory Plugin and several staff members and external contributors manage listings and payments. Because the vulnerability can be exploited without authentication, an attacker could craft requests targeting the payment parameter to extract data from the site database. Exposed data could include user contact information or other sensitive records stored in the plugin’s tables.

Potential practical consequences include exposure of internal user email addresses and other sensitive fields, which can increase the risk of targeted phishing or social engineering against staff or contributors. The issue does not, per the CVE details, indicate direct site takeover or content integrity changes, but disclosed data alone can materially increase downstream risk.

If you
re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can submit data to the site.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and logs for unusual behavior, including unexpected queries or requests targeting payment-related endpoints.

If you
like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Last updated: February 18, 2026 at 5:16:29 AM UTC

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Tickera 6 Sell Tickets & Manage Events Plugin Vulnerability (CVE-2025-12356)
Next Post
WordPress Security Bulletin: VK All in One Expansion Unit Plugin Vulnerability (CVE-2025-11737)