CVE-2026-27436: WordPress Five Star Business Profile and Schema plugin <= 2.3.19 - Arbitrary Code Execution vulnerability
Editor Arbitrary Code Execution in Five Star Business Profile and Schema <= 2.3.19 versions.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary code execution vulnerability exists in the Five Star Business Profile and Schema WordPress plugin at version 2.3.19 and earlier. The vulnerability is reachable over the network and requires a high-privilege account (such as a site administrator or editor-level user) to exploit, with no victim interaction needed. Successful exploitation gives the attacker full control over the host environment, including reading sensitive data, modifying content, and disrupting service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-27436 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Patchstack advisory) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. No manual scan trigger is needed.
AvailableHarborGuard scores this CVE at 9.1 CRITICAL (CVSS v3.1) and surfaces it with that severity weighting across each customer environment, adjusted by per-environment compliance policy. Findings are routed automatically to the team or inbox designated in each customer org's routing rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
The attacker must hold a high-privilege account (administrator or editor role) on the WordPress site before the exploit can be triggered.
- Victim interactionNot required
No action by another user is needed; the attacker can trigger the vulnerability directly with their own authenticated requests.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.
Blast Radius
- Reads any file accessible to the web server process, including WordPress configuration files that contain database credentials and secret keys.
- Modifies or deletes arbitrary files on the host filesystem, including plugin files, themes, and uploaded media.
- Executes arbitrary operating system commands on the host, enabling installation of backdoors or lateral movement to adjacent systems.
- Crashes or destabilizes the WordPress service, causing a denial of service for site visitors and administrators.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged at CRITICAL severity and matched against any customer image found to contain Five Star Business Profile and Schema at version 2.3.19 or earlier. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory and the plugin repository on every ingest cycle. In the meantime, customers can apply compensating controls through HarborGuard network-policy suggestions: restricting the WordPress admin interface to known IP ranges, enforcing egress filtering on the container to block unexpected outbound connections from a compromised process, and auditing which accounts hold editor or administrator roles. The moment an upstream fix version is published, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive an automatic rebuild, regression-test run, and a PR opened against affected workloads.
- Rustaurius / Five Star Business Profile and Schema≤ 2.3.19
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H