HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-6070Published Modified CNA Wordfence

CVE-2026-6070: WP-BusinessDirectory <= 4.0.1 - Unauthenticated Arbitrary File Deletion via Path Traversal via '_filename' Parameter

The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The task=upload.remove endpoint is accessible without authentication via the plugin's frontend routing system. The _filename parameter is accepted with RAW filter (no sanitization), and the helper function makePathFile() only normalizes directory separator characters without stripping path traversal sequences (../). When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can supply a _filename value containing ../ sequences to traverse outside the plugin directory and call PHP's unlink() on arbitrary files — including wp-config.php, wp-config-backup.php, or other critical server files accessible to the web server process. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a path traversal vulnerability leading to arbitrary file deletion in the WP-BusinessDirectory plugin for WordPress (versions up to and including 4.0.1). The vulnerable endpoint is reachable over the network with no authentication required, and the _filename parameter accepts unsanitized input including ../ sequences that traverse outside the intended plugin directory. A successful attacker can delete arbitrary files accessible to the web server process, including critical files such as wp-config.php, which can render the site inoperable or pave the way for further compromise. No fix version has been published; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including the Wordfence advisory within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the WP-BusinessDirectory plugin. Any image containing the affected plugin at version 4.0.1 or earlier is flagged in the customer's registry and CI pipeline scan results.

Available
Triage

HarborGuard scores this finding at CVSS 9.1 Critical and weights it against each customer environment's compliance policy to determine urgency and routing. The finding is directed to the appropriate team inbox within each customer organization based on configured ownership and policy rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated plugin version is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations, including isolating the affected workload and blocking unauthenticated external access to WordPress frontend routing endpoints.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable task=upload.remove endpoint is exposed over the network via WordPress's frontend routing system, so the attacker must be able to send HTTP requests to the target site.

  • AuthenticationNot required

    The endpoint requires no authentication; any unauthenticated HTTP client can invoke the remove() method and supply the _filename parameter.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends a crafted request directly and the file deletion occurs server-side without any user action.

  • Attack complexityDetail

    The exploit is reliable and condition-free: no race conditions or special environmental configuration are needed, only a crafted _filename value containing ../ traversal sequences.

Blast Radius

  • Deletes wp-config.php or wp-config-backup.php, stripping the site of its database credentials and forcing a WordPress setup state that an attacker can exploit to reinstall the site under their control.
  • Deletes arbitrary files readable and writable by the web server process, including theme files, plugin files, or .htaccess, disrupting site functionality or disabling security controls.
  • Causes full service disruption by removing files critical to WordPress bootstrapping, taking the site offline.
  • Integrity of the entire WordPress file system is at risk: any file the web server user can access is a deletion target, with no upper bound on the scope of damage.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images within minutes of Wordfence advisory ingestion, covering all images that bundle WP-BusinessDirectory at 4.0.1 or earlier, including custom-built WordPress images. Because no upstream patch exists, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads as soon as a fix is published. While no patch is available, customers are encouraged to apply compensating controls: use network policies or a web application firewall to block unauthenticated POST requests to the task=upload.remove endpoint; restrict egress from the WordPress container to limit lateral movement after any file is deleted; and audit web server file permissions to minimize the set of files the PHP process can unlink. These controls can be documented and tracked as exceptions inside HarborGuard's compliance policy workflow until the upstream fix is released.

See how HarborGuard automates this
Affected packages
  • cmsjunkie / WP-BusinessDirectory – Business directory plugin for WordPress
    ≤ 4.0.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H