SQL Injection Vulnerability in Business Directory Plugin for WordPress
CVE-2026-2576

7.5HIGH

Key Information:

Vendor: WordPress
Status: Business Directory Plugin – Easy Listing Directories For WordPress
Vendor: CVE Published:; 18 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-2576?

The Business Directory Plugin for WordPress is prone to a time-based SQL Injection vulnerability through the 'payment' parameter. This flaw arises from inadequate escaping of user-supplied input and insufficient preparation of the SQL query. It permits attackers without authentication to inject arbitrary SQL statements into existing queries, potentially exposing sensitive database information.

Affected Version(s)

Business Directory Plugin – Easy Listing Directories for WordPress 0 <= 6.4.21

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE_2026_2576_PoC
Created by SowatKheang

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/business-direc...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 27, 2026
👾
Exploit known to exist
Mar 27, 2026
Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 16, 2026

Credit

Sein Linn

CVE-2026-2576 Data

JSON