Authorization Bypass Vulnerability in Business Directory Plugin for WordPress
CVE-2026-1656

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Business Directory Plugin – Easy Listing Directories For WordPress
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-1656?

The Business Directory Plugin for WordPress is vulnerable to an authorization bypass due to a missing authorization check present in versions up to and including 6.4.20. This flaw allows unauthenticated attackers to manipulate arbitrary listings on the platform. By crafting specific requests to the wpbdp_ajax AJAX action and utilizing the listing ID, attackers can alter critical information such as titles, content, and email addresses of listings, significantly compromising the integrity and security of affected sites.

Affected Version(s)

Business Directory Plugin – Easy Listing Directories for WordPress 0 <= 6.4.20

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/business-direc...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

Sein Linn

CVE-2026-1656 Data

JSON