WP-BusinessDirectory WordPress Plugin Unauthenticated Arbitrary File Deletion (CVE-2026-6070)
Scope: WP-BusinessDirectory WordPress Plugin Versions up to and Including 4.0.1
Severity: Red
A critical path traversal vulnerability (CVSS 9.1) in the WP-BusinessDirectory WordPress plugin allows any unauthenticated attacker to delete arbitrary files on the server by supplying unsanitized path traversal sequences in a file deletion parameter, including sensitive files such as wp-config.php, the deletion of which renders the WordPress site inoperable and can trigger the WordPress setup wizard, allowing the attacker to reconnect the database to an attacker-controlled instance and achieve full site takeover. Because the vulnerable endpoint requires no authentication whatsoever, automated scanning tools can trivially identify and exploit exposed installations at scale. Administrators must update to a patched version immediately; where an update is not yet available, deactivate the plugin entirely, restrict write access to the WordPress directory structure, and monitor server file access logs for unexpected deletions.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.