CVE-2026-2576
Time-Based SQL Injection in Business Directory Plugin
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| business_directory_plugin | business_directory_plugin | to 6.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Business Directory Plugin for WordPress is vulnerable to a time-based SQL Injection through the 'payment' parameter in all versions up to and including 6.4.2. This vulnerability arises because the plugin does not properly escape user-supplied input and fails to sufficiently prepare the SQL query. As a result, unauthenticated attackers can inject additional SQL commands into existing queries, potentially extracting sensitive information from the database.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform time-based SQL Injection attacks, which can lead to unauthorized extraction of sensitive data from the plugin's database. Since the vulnerability affects the payment processing parameter, attackers might access confidential payment or user information. The CVSS score of 7.5 indicates a high severity with network attack vector and no privileges or user interaction required, meaning it can be exploited remotely without authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a time-based SQL Injection via the 'payment' parameter in the Business Directory Plugin for WordPress. Detection involves monitoring for unusual or suspicious SQL queries or HTTP requests containing crafted 'payment' parameters that attempt to inject SQL code.
You can detect potential exploitation attempts by inspecting web server logs or using network monitoring tools to look for HTTP requests targeting the plugin's payment processing endpoints with suspicious parameters.
- Use tools like grep or similar to search web server access logs for requests containing the 'payment' parameter with suspicious payloads, e.g.:
- grep -i 'payment=' /var/log/apache2/access.log
- Use a web application firewall (WAF) or intrusion detection system (IDS) to detect time-based SQL injection patterns or anomalies in requests to the plugin.
- Monitor database query logs for slow queries or unusual query patterns involving the payment table or related database tables.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the Business Directory Plugin to version 6.4.22 or later, where the SQL injection vulnerability has been addressed by properly preparing SQL queries and escaping user inputs.'}, {'type': 'paragraph', 'content': 'If updating immediately is not possible, consider disabling or restricting access to the payment functionality of the plugin to prevent exploitation.'}, {'type': 'paragraph', 'content': "Implement web application firewall (WAF) rules to block suspicious requests containing SQL injection patterns targeting the 'payment' parameter."}, {'type': 'paragraph', 'content': 'Regularly monitor logs for exploitation attempts and apply principle of least privilege to database users to limit potential damage.'}] [3]