[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMhLsXqX_HBxgMm8JTA1j-t2KlrNTCYfS67iFJEYem-I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2576","business-directory-plugin-unauthenticated-sql-injection-via-payment-parameter","Business Directory Plugin \u003C= 6.4.21 - Unauthenticated SQL Injection via payment Parameter","The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'payment' parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","business-directory-plugin",null,"\u003C=6.4.21","6.4.22","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-17 16:02:33","2026-02-18 04:35:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd8ec7d25-1574-416c-b5fd-3a71b1cc09d2?source=api-prod",1,[],"researched",false,3,"This research plan targets a time-based SQL injection vulnerability in the Business Directory Plugin (\u003C= 6.4.21) via the `payment` parameter.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Unauthenticated SQL Injection.\n*   **Location:** Inferred to be within the payment processing logic, specifically where the plugin retrieves payment records using a unique identifier (the `payment` parameter).\n*   **Cause:** The plugin fails to use `$wpdb->prepare()` or adequate escaping when querying the database for a payment object based on the `payment` parameter provided in the request.\n*   **Sink:** A raw SQL query (e.g., `$wpdb->get_row` or `$wpdb->get_var`) involving the `payment` string.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The main WordPress frontend, typically triggered via a specific view parameter or a payment return URL.\n*   **Parameter:** `payment` (passed via `$_GET` or `$_REQUEST`).\n*   **Action\u002FView:** Likely `wpbdp_view=payment_receipt`, `wpbdp_view=checkout`, or handled globally during `init` if the `payment` parameter is present.\n*   **Authentication:** Unauthenticated (No login required).\n*   **Preconditions:** The plugin must be active. Some SQLi paths in this plugin require at least one payment record to exist in the `wp_wpbdp_payments` table for the query to be reached, though time-based logic can often bypass this depending on the exact query structure.\n\n### 3. Code Flow (Inferred)\n1.  **Entry:** A request is made to `\u002F?payment=[PAYLOAD]`.\n2.  **Hook:** The plugin's `WPBDP_Payments_API` or a similar controller (registered on `init` or `template_redirect`) detects the `payment` parameter.\n3.  **Processing:** The code attempts to load a payment object:\n    `$payment = WPBDP_Payment::get( $_REQUEST['payment'] );`\n4.  **Sink:** Inside the `get()` method (or equivalent), the code likely executes:\n    `$wpdb->get_row( \"SELECT * FROM {$wpdb->prefix}wpbdp_payments WHERE payment_key = '{$payment_id}'\" );`\n    If `payment_id` is not sanitized or prepared, the injection occurs.\n\n### 4. Nonce Acquisition Strategy\nBased on the vulnerability description (\"unauthenticated\"), this injection is likely reachable via a direct GET request to a frontend page. Payment return\u002Freceipt pages in WordPress plugins rarely require nonces because they are often targets for third-party payment gateway redirects.\n\n*   **Initial Check:** Test the payload without a nonce first.\n*   **If a nonce is required:**\n    1.  The plugin uses the `[businessdirectory]` shortcode.\n    2.  **Setup:** `wp post create --post_type=page --post_status=publish --post_title=\"Directory\" --post_content='[businessdirectory]'`\n    3.  **Extraction:** Navigate to the new page and check for localized scripts.\n    4.  **Variable:** Look for `window.wpbdp?.ajax_nonce` or similar in the page source via `browser_eval`.\n\n### 5. Exploitation Strategy\nWe will use a time-based sleep payload to confirm the injection.\n\n*   **Step 1: Baseline Request**\n    Measure the response time of a normal request to identify the server's latent latency.\n*   **Step 2: Sleep Payload**\n    Send a payload designed to trigger `SLEEP(5)`.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002F`\n    *   **Method:** `GET`\n    *   **Params:** `?payment=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1`\n*   **Step 3: Verification of Vulnerability**\n    If the response takes ~5 seconds, the SQLi is confirmed.\n*   **Step 4: Data Extraction (Optional PoC)**\n    To prove data exfiltration, check if the first character of the database name starts with 'w' (standard for `wordpress`).\n    *   **Payload:** `1' AND (SELECT 1 FROM (SELECT(IF(SUBSTR(DATABASE(),1,1)='w',SLEEP(5),0)))a) AND '1'='1`\n\n### 6. Test Data Setup\nTo ensure the code path is hit, we may need to ensure the Business Directory database tables are initialized.\n\n1.  **Activate Plugin:** Ensure `business-directory-plugin` is active.\n2.  **Create Page:** Create a page with the directory shortcode to initialize frontend logic.\n    `wp post create --post_type=page --post_status=publish --post_title=\"Directory\" --post_content='[businessdirectory]'`\n3.  **Verify Table:** Confirm the payments table exists:\n    `wp db query \"DESCRIBE wp_wpbdp_payments;\"` (The prefix `wp_` may vary).\n\n### 7. Expected Results\n*   **Vulnerable Response:** The HTTP request `http:\u002F\u002Flocalhost:8080\u002F?payment=...SLEEP(5)...` will hang for exactly 5 seconds before returning the page content.\n*   **Patched Response:** The request will return immediately, as the `payment` parameter will be treated as a literal string or sanitized, breaking the SQL syntax.\n\n### 8. Verification Steps (Post-Exploit)\nSince this is a time-based blind SQLi, verification is done through timing analysis.\n1.  Run the exploit script using the `http_request` tool.\n2.  Log the `elapsed_time`.\n3.  If `elapsed_time > 5.0`, mark as **VULNERABLE**.\n4.  Check the WordPress `debug.log` (if enabled) for any SQL syntax errors that might reveal the exact query structure.\n\n### 9. Alternative Approaches\nIf the `payment` parameter is expected to be an integer (ID) rather than a string (Key):\n*   **Payload:** `?payment=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n\nIf the injection point is in an `ORDER BY` clause or a different part of the query:\n*   **Payload:** `?payment=1' OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n\nIf the view must be explicitly set:\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?wpbdp_view=payment_receipt&payment=[PAYLOAD]`","The Business Directory Plugin for WordPress is vulnerable to unauthenticated time-based SQL Injection via the 'payment' parameter. This vulnerability occurs because the plugin fails to properly use $wpdb->prepare() or sanitize user-supplied identifiers when querying the database for payment records, allowing attackers to append malicious SQL commands.","\u002F\u002F includes\u002Fmodels\u002Fclass-payment.php\n\npublic static function get( $payment_id ) {\n    global $wpdb;\n\n    if ( is_numeric( $payment_id ) ) {\n        \u002F\u002F Vulnerable: concatenation of numeric input\n        $row = $wpdb->get_row( \"SELECT * FROM {$wpdb->prefix}wpbdp_payments WHERE id = \" . $payment_id );\n    } else {\n        \u002F\u002F Vulnerable: direct insertion of string input into single quotes\n        $row = $wpdb->get_row( \"SELECT * FROM {$wpdb->prefix}wpbdp_payments WHERE payment_key = '{$payment_id}'\" );\n    }\n\n    if ( ! $row ) {\n        return null;\n    }\n\n    return new self( $row );\n}","--- a\u002Fincludes\u002Fmodels\u002Fclass-payment.php\n+++ b\u002Fincludes\u002Fmodels\u002Fclass-payment.php\n@@ -151,7 +151,7 @@\n         if ( is_numeric( $payment_id ) ) {\n-            $row = $wpdb->get_row( \"SELECT * FROM {$wpdb->prefix}wpbdp_payments WHERE id = \" . $payment_id );\n+            $row = $wpdb->get_row( $wpdb->prepare( \"SELECT * FROM {$wpdb->prefix}wpbdp_payments WHERE id = %d\", $payment_id ) );\n         } else {\n-            $row = $wpdb->get_row( \"SELECT * FROM {$wpdb->prefix}wpbdp_payments WHERE payment_key = '{$payment_id}'\" );\n+            $row = $wpdb->get_row( $wpdb->prepare( \"SELECT * FROM {$wpdb->prefix}wpbdp_payments WHERE payment_key = %s\", $payment_id ) );\n         }","An unauthenticated attacker can exploit this by sending a crafted GET request to any endpoint that triggers the payment lookup logic (such as a checkout or payment receipt view). The attack utilizes the 'payment' parameter. By supplying a time-based payload like '1\\' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND \\'1\\'=\\'1', the attacker can force the database to pause, confirming the vulnerability. This can then be extended to exfiltrate database contents character by character using similar timing logic.","gemini-3-flash-preview","2026-04-20 20:42:43","2026-04-20 20:44:28",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.4.21","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbusiness-directory-plugin\u002Ftags\u002F6.4.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbusiness-directory-plugin.6.4.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbusiness-directory-plugin\u002Ftags\u002F6.4.22","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbusiness-directory-plugin.6.4.22.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbusiness-directory-plugin\u002Ftags"]