External risk intelligence

WP-BusinessDirectory Unauthenticated Arbitrary File Deletion

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-6070

The vulnerability exists in a WordPress plugin that exposes an unauthenticated endpoint via the frontend routing system. Because WordPress sites are commonly deployed as public-facing web applications, this endpoint is accessible to any internet user, making the vulnerable functionality reachable without authentication in typical real-world deployments.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in a popular WordPress plugin that could allow unauthorized deletion of critical server files, including configuration files. This issue stems from insufficient validation of file paths within the plugin's upload functionality. While the direct business impact requires further assessment, the potential for data loss or service disruption warrants attention.

  • Unauthenticated attackers can delete important files.
  • Confirms a specific plugin vulnerability for investigation.
  • Assess plugin relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can initiate a file deletion attack by sending a request to a vulnerable endpoint exposed by the WP-BusinessDirectory plugin. This endpoint lacks proper validation for file paths, allowing an attacker to provide specially crafted input that traverses directory structures. By manipulating the path, an attacker can target and delete critical server files, such as configuration files, leading to a compromise of the web server.

  • No authentication needed.
  • Triggered via a web request.
  • Arbitrary file deletion risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to delete critical server files, including configuration files like wp-config.php, when the WP-BusinessDirectory plugin is in use. The attacker could leverage insufficient path validation in the upload controller to traverse directories and target specific files for deletion.

  • Critical server files
  • Arbitrary file deletion
  • Server instability or compromise

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the WP-Business Directory plugin impacts WordPress sites, particularly those with public-facing web applications. Infrastructure and platform teams are likely responsible for identifying affected instances and assessing their reachability and business criticality. The first practical step is to locate all deployments of the plugin, confirm exposure, identify the accountable owner, and then plan remediation based on the risk assessment.

  • WordPress site owners should own the issue.
  • Verify plugin deployment and public reachability.
  • Plan remediation and coordinate vendor updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the WP-BusinessDirectory plugin?

WP-BusinessDirectory is a WordPress plugin designed to help site administrators create, manage, and display searchable business listings or directories on their websites. It functions as an extension that integrates into the WordPress dashboard and frontend, allowing users to upload documents or images associated with these listings. This vulnerability resides in the plugin's file management system, which handles these user-submitted uploads.

How does CVE-2026-6070 allow file deletion?

This vulnerability is classified as CWE-73, or External Control of File Name or Path. The plugin fails to properly check file paths provided by users, allowing them to include '..' navigation sequences. When an attacker sends a request to the plugin's upload controller, they can manipulate these paths to escape the intended directory and point the system to critical files outside the plugin folder, which the server then deletes.

Do I need to be logged in to trigger this bug?

No. The vulnerable endpoint, which is part of the plugin's frontend routing system, does not require authentication. This means anyone with access to the website can attempt to send a request that triggers the deletion process. Simply visiting the site or interacting with a directory listing is not enough; the attacker must specifically send a crafted request targeting the upload.remove functionality to initiate the file deletion sequence.

Is my site at risk if it runs this plugin?

According to Halo Surface Signal, this vulnerability is considered highly relevant because the plugin exposes its functionality through public-facing web routes. Since WordPress sites are typically deployed as internet-accessible applications, the vulnerable endpoint is reachable by any user globally. If your site is connected to the internet, it should be considered potentially accessible to an attacker attempting to exploit this flaw.

When should I take action for this vulnerability?

You should prioritize this immediately if you use WP-BusinessDirectory. First, verify whether you have the plugin installed on your WordPress instance. Once identified, locate the accountable owner for the site to assess the business risk. Since this issue allows the deletion of essential files like wp-config.php, your primary goal is to restrict access to the plugin or remove it until a secure update is applied.

References