Wp Businessdirectory
Monthly
Arbitrary file upload in the WP-BusinessDirectory WordPress plugin (versions through 4.0.0) allows authenticated users holding only the low-privilege Subscriber role to upload files of attacker-chosen types to the host site. The CVSS scope-changed 9.9 rating reflects that a successful upload of executable content (e.g., a PHP webshell) yields code execution under the WordPress process and pivots impact beyond the plugin into the wider site and host. No public exploit identified at time of analysis, but Subscriber-level file upload bugs are routinely weaponised against WordPress sites that allow open registration.
Arbitrary file upload in the WP-BusinessDirectory WordPress plugin (versions through 4.0.0) allows authenticated users holding only the low-privilege Subscriber role to upload files of attacker-chosen types to the host site. The CVSS scope-changed 9.9 rating reflects that a successful upload of executable content (e.g., a PHP webshell) yields code execution under the WordPress process and pivots impact beyond the plugin into the wider site and host. No public exploit identified at time of analysis, but Subscriber-level file upload bugs are routinely weaponised against WordPress sites that allow open registration.