Attack Vectors

CVE-2026-1656 affects Business Directory Plugin – Easy Listing Directories for WordPress (slug: business-directory-plugin) in versions up to and including 6.4.20. Rated Medium severity (CVSS 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), this issue can be reached over the internet and does not require a logged-in account.

An unauthenticated attacker can send crafted requests to the plugin’s wpbdp_ajax AJAX action and modify listings by directly referencing a listing ID. The reported changes can include titles, content, and email addresses, which are high-visibility fields for any directory-driven marketing or lead-generation site.

Security Weakness

The core weakness is a missing authorization check (an authorization bypass). In practical terms, the plugin does not reliably confirm that the requester is allowed to edit a given listing before applying updates.

Because this weakness is tied to how the plugin handles update requests, it can allow changes to listings without the normal controls business owners expect (such as requiring a listing owner account, staff permissions, or administrative approval).

Technical or Business Impacts

For marketing directors and executives, the primary risk is brand and lead integrity. If attackers alter listing titles or descriptions, prospects may see misleading or damaging information, reducing trust and conversion rates.

Changes to email addresses can redirect inquiries away from your team, causing lost leads, missed partnerships, and avoidable revenue impact. This can also skew campaign reporting and attribution, since responses may never reach your systems.

For compliance and operations teams, unauthorized edits to public listings can create data governance and accuracy issues (for example, incorrect business details presented to customers), and can increase workload through incident response, customer support escalations, and reputational repair.

Remediation: Update Business Directory Plugin to 6.4.21 or newer, which includes the patch. Track the CVE record for reference: https://www.cve.org/CVERecord?id=CVE-2026-1656. Vendor/advisory source: https://www.wordfence.com/threat-intel/vulnerabilities/id/f894ce75-168c-4baa-8cae-d2e7f1a0a9ab.

Similar Attacks

Authorization gaps like this are a common cause of real-world WordPress incidents, especially in plugins that manage customer-facing content. Here are a few well-known examples of plugin-related attacks that organizations have faced:

WordPress REST API content injection (2017) — a high-profile incident where attackers altered site content at scale.

File Manager plugin zero-day (2020) — widely exploited to compromise websites through a popular plugin.

Elementor Pro vulnerability (2021) — an example of a plugin flaw that could be abused to change site behavior and content.