Skip to main content

WP-BusinessDirectory CVE-2026-39591

| EUVDEUVD-2026-36969 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-15 Patchstack GHSA-w5jv-9w5f-54r3
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable WordPress endpoint, no user interaction, low-privilege Subscriber required (PR:L), arbitrary file write yields RCE on host so scope changes and C/I/A all High.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:16 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
CRITICAL 9.9

DescriptionCVE.org

Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions.

AnalysisAI

Arbitrary file upload in the WP-BusinessDirectory WordPress plugin (versions through 4.0.0) allows authenticated users holding only the low-privilege Subscriber role to upload files of attacker-chosen types to the host site. The CVSS scope-changed 9.9 rating reflects that a successful upload of executable content (e.g., a PHP webshell) yields code execution under the WordPress process and pivots impact beyond the plugin into the wider site and host. No public exploit identified at time of analysis, but Subscriber-level file upload bugs are routinely weaponised against WordPress sites that allow open registration.

Technical ContextAI

WP-BusinessDirectory is a CMSJunkie-developed WordPress plugin (CPE cmsjunkie_-_wordpress_business_directory_plugins:wp-businessdirectory) that lets site owners publish business listings, and exposes upload endpoints used by listing authors for logos, attachments, and media. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's upload handler fails to enforce a server-side allowlist of file extensions/MIME types or to neutralise dangerous content before writing into the WordPress uploads directory. Because WordPress executes PHP from wp-content/uploads unless the webserver is hardened, an uploaded .php (or polyglot) file can be requested directly to run code in the site's PHP context.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-businessdirectory/vulnerability/wordpress-wp-businessdirectory-plugin-4-0-0-arbitrary-file-upload-vulnerability) for the latest fixed release and upgrade WP-BusinessDirectory to a version strictly greater than 4.0.0 once published. In the interim, deactivate the plugin if listings are not business-critical, or disable open user registration (Settings → General → Membership) and set the default role to Subscriber-with-no-listing-rights to remove the precondition; additionally configure the webserver to deny PHP execution within wp-content/uploads (Apache: a .htaccess with 'php_flag engine off' and a FilesMatch deny for .ph* extensions; Nginx: a location block returning 403 for \.php$ under /wp-content/uploads/), accepting that this also blocks any legitimate plugin that intentionally serves PHP from uploads. A WAF rule (e.g., the Patchstack vPatch or equivalent ModSecurity rule) restricting multipart uploads to the plugin's endpoints can serve as a temporary virtual patch.

Share

CVE-2026-39591 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy