This vulnerability (CWE-434) in WP-BusinessDirectory (<=4.0.0) permits users with subscriber privileges to upload files of dangerous types without restriction. This arbitrary file upload flaw can be exploited remotely without user interaction, resulting in complete system compromise as indicated by the CVSS 3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability is publicly known but no known exploits in the wild have been reported. No vendor advisory or patch information is currently available.

Successful exploitation allows an attacker with subscriber-level access to upload malicious files, potentially leading to full system compromise including complete loss of confidentiality, integrity, and availability of the affected system.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict subscriber file upload permissions or disable the plugin if possible to reduce risk.