CVE-2026-39591

Vulnerability

An arbitrary file upload vulnerability exists in the WordPress plugin WP-BusinessDirectory versions up to and including 4.0.0. The flaw allows a subscriber-level user to upload any file type to the server, including executable scripts. The vulnerability is present in the file upload functionality without proper validation or access control [1].

Exploitation

An attacker needs only subscriber-level access to the WordPress site, which can be obtained via self-registration if enabled. The attack sequence involves uploading a malicious file (e.g., a PHP web shell) through the plugin's file upload mechanism, which does not restrict file types or enforce authentication for higher privileges. No additional user interaction is required beyond the attacker's actions [1].

Impact

Successful exploitation allows the attacker to upload arbitrary files, including backdoors, which can then be executed to gain unauthorized access to the website. This can lead to complete site compromise, including data theft, defacement, or further propagation of attacks. The vulnerability is rated with a CVSS score of 9.9 (Critical) due to the low complexity and high impact on confidentiality, integrity, and availability [1].

Mitigation

The vulnerability is fixed in version 4.0.1 of WP-BusinessDirectory. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update is applied. The vulnerability is expected to be exploited in mass campaigns, so prompt action is critical [1].