CVE-2026-6070
CMSJunkie · WP-BusinessDirectory
The WP-BusinessDirectory plugin for WordPress contains an unauthenticated arbitrary file deletion vulnerability due to insufficient path validation in the upload controller.
Executive summary
A critical vulnerability in the WP-BusinessDirectory plugin allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to total system compromise.
Vulnerability
This is an arbitrary file deletion vulnerability caused by improper sanitization of the _filename parameter in the JBusinessDirectoryControllerUpload class. Unauthenticated attackers can leverage path traversal sequences to reach and delete critical system files, such as wp-config.php, via the plugin's frontend routing.
Business impact
The ability for an unauthenticated attacker to delete critical configuration files poses a severe risk to business continuity and data integrity. With a CVSS score of 9.1, this flaw could result in complete service disruption (denial of service) or allow an attacker to reconfigure the application environment to facilitate further exploitation, leading to significant reputational and operational damage.
Remediation
Immediate Action: Update the WP-BusinessDirectory plugin to the latest available version immediately to patch the file deletion logic.
Proactive Monitoring: Review server access logs for suspicious requests targeting task=upload.remove and monitor for unexpected file deletion events or sudden site outages.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../) directed toward the plugin's upload endpoints.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical severity of this vulnerability and the ease of exploitation, immediate remediation is required. Administrators should prioritize updating the plugin across all affected WordPress installations to prevent unauthorized file deletion and potential server-side compromise.