CVE-2026-1656 (GCVE-0-2026-1656)
Vulnerability from cvelistv5
Published
2026-02-18 08:26
Modified
2026-04-08 17:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Business Directory Plugin for WordPress is vulnerable to authorization bypass due to a missing authorization check in all versions up to, and including, 6.4.20. This makes it possible for unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email addresses, by directly referencing the listing ID in crafted requests to the wpbdp_ajax AJAX action.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| strategy11team | Business Directory Plugin – Easy Listing Directories for WordPress |
Version: 0 ≤ 6.4.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T12:26:23.236314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:51:17.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Business Directory Plugin \u2013 Easy Listing Directories for WordPress",
"vendor": "strategy11team",
"versions": [
{
"lessThanOrEqual": "6.4.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sein Linn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Business Directory Plugin for WordPress is vulnerable to authorization bypass due to a missing authorization check in all versions up to, and including, 6.4.20. This makes it possible for unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email addresses, by directly referencing the listing ID in crafted requests to the wpbdp_ajax AJAX action."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:00.003Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f894ce75-168c-4baa-8cae-d2e7f1a0a9ab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/tags/6.4.20/includes/helpers/class-authenticated-listing-view.php#L20"
},
{
"url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/helpers/class-authenticated-listing-view.php#L20"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3452627/business-directory-plugin/tags/6.4.21/includes/controllers/pages/class-submit-listing.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-17T20:07:01.000Z",
"value": "Disclosed"
}
],
"title": "Business Directory Plugin \u003c= 6.4.20 - Missing Authorization to Unauthenticated Arbitrary Listing Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1656",
"datePublished": "2026-02-18T08:26:05.398Z",
"dateReserved": "2026-01-29T19:21:47.804Z",
"dateUpdated": "2026-04-08T17:34:00.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1656\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-18T12:26:23.236314Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-18T12:26:24.473Z\"}}], \"cna\": {\"title\": \"Business Directory Plugin \u003c= 6.4.20 - Missing Authorization to Unauthenticated Arbitrary Listing Modification\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Sein Linn\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"strategy11team\", \"product\": \"Business Directory Plugin \\u2013 Easy Listing Directories for WordPress\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.4.20\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-17T20:07:01.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/f894ce75-168c-4baa-8cae-d2e7f1a0a9ab?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/business-directory-plugin/tags/6.4.20/includes/helpers/class-authenticated-listing-view.php#L20\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/helpers/class-authenticated-listing-view.php#L20\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3452627/business-directory-plugin/tags/6.4.21/includes/controllers/pages/class-submit-listing.php\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Business Directory Plugin for WordPress is vulnerable to authorization bypass due to a missing authorization check in all versions up to, and including, 6.4.20. This makes it possible for unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email addresses, by directly referencing the listing ID in crafted requests to the wpbdp_ajax AJAX action.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-08T17:34:00.003Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-1656\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T17:34:00.003Z\", \"dateReserved\": \"2026-01-29T19:21:47.804Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-02-18T08:26:05.398Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…