CVE-2026-6070
Received Received - Intake

Unauthenticated Arbitrary File Deletion in WP-BusinessDirectory

Vulnerability report for CVE-2026-6070, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The task=upload.remove endpoint is accessible without authentication via the plugin's frontend routing system. The _filename parameter is accepted with RAW filter (no sanitization), and the helper function makePathFile() only normalizes directory separator characters without stripping path traversal sequences (../). When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can supply a _filename value containing ../ sequences to traverse outside the plugin directory and call PHP's unlink() on arbitrary files β€” including wp-config.php, wp-config-backup.php, or other critical server files accessible to the web server process. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
businessdirectory wp-businessdirectory to 4.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP-BusinessDirectory plugin for WordPress has a vulnerability in versions up to and including 4.0.1 that allows unauthenticated arbitrary file deletion. This happens because the plugin's remove() method does not properly validate file paths. Specifically, the task=upload.remove endpoint can be accessed without authentication, and it accepts a _filename parameter without sanitization. The helper function makePathFile() only normalizes directory separators but does not remove path traversal sequences like ../. When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can use ../ sequences in the _filename to traverse outside the plugin directory and delete arbitrary files on the server using PHP's unlink() function.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated attacker to delete arbitrary files on the server hosting the WordPress site. Critical files such as wp-config.php, wp-config-backup.php, or other important server files accessible to the web server process can be deleted. This can lead to site downtime, loss of configuration, data loss, and potentially compromise the integrity and availability of the website.

Detection Guidance

This vulnerability involves unauthenticated arbitrary file deletion via the task=upload.remove endpoint with specific parameters allowing path traversal. Detection can focus on monitoring HTTP requests to this endpoint that include the _filename parameter with suspicious path traversal sequences (e.g., ../).

You can detect attempts by inspecting web server logs or using network monitoring tools to filter for requests to the vulnerable endpoint.

  • Use grep or similar tools on web server access logs to find suspicious requests: grep 'task=upload.remove' /var/log/apache2/access.log | grep '_filename=..'
  • Use a network monitoring tool or IDS to alert on HTTP requests containing 'task=upload.remove' with '../' sequences in parameters.
Mitigation Strategies

Immediate mitigation steps include updating the WP-BusinessDirectory plugin to a version later than 4.0.1 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the task=upload.remove endpoint by implementing firewall rules or web server configuration to block unauthenticated requests to this endpoint.

Additionally, monitor and audit file deletions on the server, especially critical files like wp-config.php, to detect any exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6070. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart