How is CVE-2026-39591 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS to exploit this vulnerability. Authentication (required): A low-privilege subscriber account is sufficient; no administrative credentials are needed, making this accessible to any registered user on the WordPress site. Victim interaction (not-required): The attacker can complete the exploit entirely without any action from another user or administrator. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or other environmental factors to succeed.

What is the impact of CVE-2026-39591?

Attacker uploads and executes arbitrary server-side code, achieving full remote code execution on the host running WordPress. Attacker reads all files and database content accessible to the web server process, including stored credentials, user data, and private business directory records. Attacker modifies or deletes files and database rows, enabling defacement, data destruction, or backdoor implantation. Attacker can crash or destabilize the WordPress service, causing a denial of service for legitimate users.

Back to search

CRITICALCVE-2026-39591Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39591: WordPress WP-BusinessDirectory plugin <= 4.0.0 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-39591?

An arbitrary file upload vulnerability exists in the WP-BusinessDirectory WordPress plugin (versions 4.0.0 and earlier). Any authenticated user with a low-privilege subscriber account can upload arbitrary files to the server over the network, with no victim interaction required. Successful exploitation gives an attacker full remote code execution, read and write access to all data, and the ability to crash or take over the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39591 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CMSJunkie ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability exists in the WP-BusinessDirectory WordPress plugin (versions 4.0.0 and earlier). Any authenticated user with a low-privilege subscriber account can upload arbitrary files to the server over the network, with no victim interaction required. Successful exploitation gives an attacker full remote code execution, read and write access to all data, and the ability to crash or take over the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in registries and CI/CD pipelines, covering custom-built images that bundle the WP-BusinessDirectory plugin.

Available

Triage

Triage is available with the CVSS v3.1 score of 9.9 (Critical) applied immediately on match; per-environment compliance policy weighting can elevate or re-route the finding to the appropriate team inbox inside each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CMSJunkie ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS to exploit this vulnerability.
AuthenticationRequired
A low-privilege subscriber account is sufficient; no administrative credentials are needed, making this accessible to any registered user on the WordPress site.
Victim interactionNot required
The attacker can complete the exploit entirely without any action from another user or administrator.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or other environmental factors to succeed.

Blast Radius

Attacker uploads and executes arbitrary server-side code, achieving full remote code execution on the host running WordPress.
Attacker reads all files and database content accessible to the web server process, including stored credentials, user data, and private business directory records.
Attacker modifies or deletes files and database rows, enabling defacement, data destruction, or backdoor implantation.
Attacker can crash or destabilize the WordPress service, causing a denial of service for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this Critical-severity vulnerability, HarborGuard continuously monitors the Patchstack advisory and re-evaluates affected images on every ingest cycle. In the meantime, compensating controls are available for consideration within each environment: network-policy isolation to restrict inbound access to the WordPress installation to trusted IP ranges, egress filtering to block outbound connections from the web server process, and disabling subscriber-level registration if public sign-up is not required. For customers with auto-remediation enabled, the moment CMSJunkie publishes a patched release, HarborGuard will make a rebuilt image available, run regression tests, and open a PR against affected workloads automatically. Customers whose compliance policy requires manual approval retain full control over merge timing.

See how HarborGuard automates this

Affected packages

CMSJunkie – WordPress Business Directory Plugins / WP-BusinessDirectory
≤ 4.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified