External risk intelligence

WP-BusinessDirectory Arbitrary File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-39591

A critical arbitrary file upload vulnerability exists in a WordPress business directory plugin. If reachable, an attacker with limited privileges could upload malicious files, potentially leading to code execution or data compromise. You should care because this could impact system integrity and data confidentiality.

4Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-39591

This vulnerability exists in a WordPress plugin designed for business directories. WordPress sites and their associated plugins are commonly deployed as public-facing web applications, making the file upload functionality typically accessible via the internet.

PCI scan relevance

PCI Relevance for CVE-2026-39591

Yes

CVE-2026-39591 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Arbitrary file upload vulnerabilities like this one are considered critical and can lead to remote code execution, which would cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical security vulnerability has been identified in a WordPress plugin used for business directories, potentially allowing unauthorized users to upload arbitrary files. This type of flaw could enable malicious actors to introduce harmful content or code into affected systems, posing a significant risk to data integrity and system security.

  • Issue: Unrestricted file uploads in a directory plugin.
  • Why remember: Potential for code injection and data compromise.
  • Takeaway: Confirm if this plugin is in use.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by uploading a malicious file to a website using the WP-BusinessDirectory plugin. This file upload feature is accessible over the network, and with limited privileges, an attacker could gain the ability to execute arbitrary code on the server.

  • Publicly accessible upload feature.
  • Uploading a crafted malicious file.
  • Arbitrary code execution on server.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in WP-BusinessDirectory allows an authenticated user to upload arbitrary files, potentially impacting system integrity and data confidentiality. When supported by the advisory, this could enable an attacker to execute malicious code or disrupt service.

  • System files and user data.
  • Arbitrary file upload.
  • Code execution or service disruption.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

For CVE-2026-39591, the primary responsibility likely falls to the application owner or website administrator responsible for the WordPress site utilizing the WP-BusinessDirectory plugin. The first crucial step is to identify all instances of the WP-BusinessDirectory plugin, determine their exposure and business criticality, and then escalate to the appropriate technical teams for remediation planning.

  • Application owners should manage this.
  • Verify plugin presence and exposure.
  • Plan and coordinate remediation efforts.

Frequently asked questions

What is WP-BusinessDirectory?

WP-BusinessDirectory is a WordPress plugin used to manage and display business listings. Site owners typically use it to create interactive directories for their visitors. Because it runs within the WordPress ecosystem, it relies on the underlying server to handle user-submitted content, such as image or document uploads, which are managed through the plugin's interface.

What does CWE-434 mean for CVE-2026-39591?

This vulnerability is classified as CWE-434, which refers to Unrestricted Upload of File with Dangerous Type. In plain English, the software does not properly check the format or content of files being uploaded by users. Because the plugin fails to enforce strict validation, it inadvertently allows an attacker to upload files that could act as malicious scripts, bypassing intended security controls to interact directly with the server.

How can an attacker trigger this vulnerability?

An attacker needs an account with enough privileges to access the plugin's file upload features to exploit this flaw. The vulnerability is triggered by submitting a specially crafted file that the plugin accepts without proper verification. It is important to note that simply visiting the site or viewing a directory page does not trigger this issue; the attacker must be able to interact with the plugin's upload function to successfully upload their malicious content.

Is my site at risk?

If you run WP-BusinessDirectory version 4.0.0 or older, your site is potentially affected. Halo Surface Signal notes that since this plugin is designed for public-facing business directories, the upload functionality is often reachable from the internet. This means that if an unauthorized person gains access to an account with upload permissions, they could potentially target your server, making it essential to determine if this specific plugin is active on your web infrastructure.

How should I respond to this threat?

Start by identifying all WordPress installations within your environment that currently use the WP-BusinessDirectory plugin. Once you have located these instances, confirm the version number to see if it falls within the affected range. After verifying the presence of the plugin, coordinate with your web administration team to plan for updates or implement temporary access restrictions to the upload feature until a permanent resolution is applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished