CVE-2026-6070: WP-BusinessDirectory <= 4.0.1 - Unauthenticated Arbitrary File Deletion via Path Traversal via '_filename' Parameter
The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The task=upload.remove endpoint is accessible without authentication via the plugin's frontend routing system. The _filename parameter is accepted with RAW filter (no sanitization), and the helper function makePathFile() only normalizes directory separator characters without stripping path traversal sequences (../). When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can supply a _filename value containing ../ sequences to traverse outside the plugin directory and call PHP's unlink() on arbitrary files — including wp-config.php, wp-config-backup.php, or other critical server files accessible to the web server process. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a path traversal vulnerability leading to arbitrary file deletion in the WP-BusinessDirectory plugin for WordPress (versions up to and including 4.0.1). The vulnerable endpoint is reachable over the network with no authentication required, and the _filename parameter accepts unsanitized input including ../ sequences that traverse outside the intended plugin directory. A successful attacker can delete arbitrary files accessible to the web server process, including critical files such as wp-config.php, which can render the site inoperable or pave the way for further compromise. No fix version has been published; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream ships a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including the Wordfence advisory within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the WP-BusinessDirectory plugin. Any image containing the affected plugin at version 4.0.1 or earlier is flagged in the customer's registry and CI pipeline scan results.
AvailableHarborGuard scores this finding at CVSS 9.1 Critical and weights it against each customer environment's compliance policy to determine urgency and routing. The finding is directed to the appropriate team inbox within each customer organization based on configured ownership and policy rules.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated plugin version is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations, including isolating the affected workload and blocking unauthenticated external access to WordPress frontend routing endpoints.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable task=upload.remove endpoint is exposed over the network via WordPress's frontend routing system, so the attacker must be able to send HTTP requests to the target site.
- AuthenticationNot required
The endpoint requires no authentication; any unauthenticated HTTP client can invoke the remove() method and supply the _filename parameter.
- Victim interactionNot required
No victim interaction is needed; the attacker sends a crafted request directly and the file deletion occurs server-side without any user action.
- Attack complexityDetail
The exploit is reliable and condition-free: no race conditions or special environmental configuration are needed, only a crafted _filename value containing ../ traversal sequences.
Blast Radius
- Deletes wp-config.php or wp-config-backup.php, stripping the site of its database credentials and forcing a WordPress setup state that an attacker can exploit to reinstall the site under their control.
- Deletes arbitrary files readable and writable by the web server process, including theme files, plugin files, or .htaccess, disrupting site functionality or disabling security controls.
- Causes full service disruption by removing files critical to WordPress bootstrapping, taking the site offline.
- Integrity of the entire WordPress file system is at risk: any file the web server user can access is a deletion target, with no upper bound on the scope of damage.
How HarborGuard Handles This
Available on HarborGuard: this CVE is matched against customer images within minutes of Wordfence advisory ingestion, covering all images that bundle WP-BusinessDirectory at 4.0.1 or earlier, including custom-built WordPress images. Because no upstream patch exists, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads as soon as a fix is published. While no patch is available, customers are encouraged to apply compensating controls: use network policies or a web application firewall to block unauthenticated POST requests to the task=upload.remove endpoint; restrict egress from the WordPress container to limit lateral movement after any file is deleted; and audit web server file permissions to minimize the set of files the PHP process can unlink. These controls can be documented and tracked as exceptions inside HarborGuard's compliance policy workflow until the upstream fix is released.
- cmsjunkie / WP-BusinessDirectory – Business directory plugin for WordPress≤ 4.0.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H