Skip to main content

Wp Businessdirectory

1 CVEs product

Monthly

CVE-2026-39591 CRITICAL Act Now

Arbitrary file upload in the WP-BusinessDirectory WordPress plugin (versions through 4.0.0) allows authenticated users holding only the low-privilege Subscriber role to upload files of attacker-chosen types to the host site. The CVSS scope-changed 9.9 rating reflects that a successful upload of executable content (e.g., a PHP webshell) yields code execution under the WordPress process and pivots impact beyond the plugin into the wider site and host. No public exploit identified at time of analysis, but Subscriber-level file upload bugs are routinely weaponised against WordPress sites that allow open registration.

File Upload Wp Businessdirectory
NVD
CVSS 3.1
9.9
EPSS
0.5%
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the WP-BusinessDirectory WordPress plugin (versions through 4.0.0) allows authenticated users holding only the low-privilege Subscriber role to upload files of attacker-chosen types to the host site. The CVSS scope-changed 9.9 rating reflects that a successful upload of executable content (e.g., a PHP webshell) yields code execution under the WordPress process and pivots impact beyond the plugin into the wider site and host. No public exploit identified at time of analysis, but Subscriber-level file upload bugs are routinely weaponised against WordPress sites that allow open registration.

File Upload Wp Businessdirectory
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy