CVE-2026-6070: CWE-73 External Control of File Name or Path in cmsjunkie WP-BusinessDirectory – Business directory plugin for WordPress
The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The task=upload.remove endpoint is accessible without authentication via the plugin's frontend routing system. The _filename parameter is accepted with RAW filter (no sanitization), and the helper function makePathFile() only normalizes directory separator characters without stripping path traversal sequences (../). When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can supply a _filename value containing ../ sequences to traverse outside the plugin directory and call PHP's unlink() on arbitrary files — including wp-config.php, wp-config-backup.php, or other critical server files accessible to the web server process. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
AI Analysis
Technical Summary
CVE-2026-6070 is an unauthenticated arbitrary file deletion vulnerability in the WP-BusinessDirectory WordPress plugin (up to version 4.0.1). The issue arises from insufficient validation of the _filename parameter in the remove() method of the JBusinessDirectoryControllerUpload class. The endpoint task=upload.remove is accessible without authentication and accepts the _filename parameter without sanitization, allowing path traversal sequences (../). When combined with the _path_type=2 parameter, attackers can traverse outside the plugin directory and invoke PHP's unlink() function on arbitrary files accessible to the web server, including wp-config.php and other critical files. This can lead to denial of service or further compromise due to deletion of essential files.
Potential Impact
An unauthenticated attacker can delete arbitrary files on the server running the vulnerable plugin, including critical WordPress configuration files such as wp-config.php. This can cause denial of service, site downtime, or facilitate further attacks by disrupting the integrity of the WordPress installation. The vulnerability has a CVSS 3.1 score of 9.1, indicating critical impact with high exploitability and high impact on integrity and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the vulnerable endpoint if possible, and monitor for suspicious requests targeting the task=upload.remove endpoint. Avoid using the vulnerable plugin version 4.0.1 or earlier in production environments. Follow vendor advisories closely for updates and apply official patches once released.
CVE-2026-6070: CWE-73 External Control of File Name or Path in cmsjunkie WP-BusinessDirectory – Business directory plugin for WordPress
Description
The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The task=upload.remove endpoint is accessible without authentication via the plugin's frontend routing system. The _filename parameter is accepted with RAW filter (no sanitization), and the helper function makePathFile() only normalizes directory separator characters without stripping path traversal sequences (../). When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can supply a _filename value containing ../ sequences to traverse outside the plugin directory and call PHP's unlink() on arbitrary files — including wp-config.php, wp-config-backup.php, or other critical server files accessible to the web server process. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
CVSS v3.1
Score 9.1critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6070 is an unauthenticated arbitrary file deletion vulnerability in the WP-BusinessDirectory WordPress plugin (up to version 4.0.1). The issue arises from insufficient validation of the _filename parameter in the remove() method of the JBusinessDirectoryControllerUpload class. The endpoint task=upload.remove is accessible without authentication and accepts the _filename parameter without sanitization, allowing path traversal sequences (../). When combined with the _path_type=2 parameter, attackers can traverse outside the plugin directory and invoke PHP's unlink() function on arbitrary files accessible to the web server, including wp-config.php and other critical files. This can lead to denial of service or further compromise due to deletion of essential files.
Potential Impact
An unauthenticated attacker can delete arbitrary files on the server running the vulnerable plugin, including critical WordPress configuration files such as wp-config.php. This can cause denial of service, site downtime, or facilitate further attacks by disrupting the integrity of the WordPress installation. The vulnerability has a CVSS 3.1 score of 9.1, indicating critical impact with high exploitability and high impact on integrity and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the vulnerable endpoint if possible, and monitor for suspicious requests targeting the task=upload.remove endpoint. Avoid using the vulnerable plugin version 4.0.1 or earlier in production environments. Follow vendor advisories closely for updates and apply official patches once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-10T13:34:33.261Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a44a07a27e9c79719fbd721
Added to database: 07/01/2026, 05:07:06 UTC
Last enriched: 07/01/2026, 05:22:07 UTC
Last updated: 07/02/2026, 01:52:39 UTC
Views: 47
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.