Skip to main content

Wp Businessdirectory Business Directory Plugin For Wordpress

1 CVEs product

Monthly

CVE-2026-6070 CRITICAL Act Now

Arbitrary file deletion in the WP-BusinessDirectory (Business Directory) plugin for WordPress (versions ≤ 4.0.1) lets unauthenticated remote attackers delete any file the web server can access, including wp-config.php. The flaw stems from the frontend-accessible task=upload.remove endpoint accepting an unsanitized _filename parameter that permits ../ path traversal. No public exploit is identified at time of analysis, but the CVSS 9.1 rating and trivial exploitation (network, no auth, no user interaction) make it high priority; deleting wp-config.php can force WordPress into its installer, enabling site takeover.

WordPress Path Traversal PHP Wp Businessdirectory Business Directory Plugin For Wordpress
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the WP-BusinessDirectory (Business Directory) plugin for WordPress (versions ≤ 4.0.1) lets unauthenticated remote attackers delete any file the web server can access, including wp-config.php. The flaw stems from the frontend-accessible task=upload.remove endpoint accepting an unsanitized _filename parameter that permits ../ path traversal. No public exploit is identified at time of analysis, but the CVSS 9.1 rating and trivial exploitation (network, no auth, no user interaction) make it high priority; deleting wp-config.php can force WordPress into its installer, enabling site takeover.

WordPress Path Traversal PHP +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy