Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Unrated

Unauthenticated Arbitrary File Deletion in WP-BusinessDirectory <= 4.0.1

IdentifiersCVE-2026-6070CWE-22

CVE-2026-6070 is a critical arbitrary file deletion vulnerability in the WP-BusinessDirectory plugin for WordPress affecting versions up to and including 4.0.1. The flaw is caused by insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The plugin exposes the task=upload.remove endpoint through its frontend routing system without requiring authentication. The _filename parameter is accepted using a RAW filter with no effective sanitization, and the helper function makePathFile() only normalizes directory separator characters without removing path traversal sequences such as ../. When an attacker supplies _path_type=2, which sets the base directory to the plugin's site folder, and a crafted _filename containing traversal sequences, the code can escape the intended directory and invoke PHP unlink() on arbitrary files accessible to the web server process. This enables remote, unauthenticated deletion of files such as wp-config.php, wp-config-backup.php, and other critical application or server files.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to delete arbitrary files reachable by the web server account. Impact can include denial of service through deletion of essential WordPress or plugin files, destruction of configuration files such as wp-config.php, forced application reinstallation or outage, and potential follow-on compromise depending on which files are removed and how the environment responds. Because the flaw affects file deletion rather than direct file write or code execution, the primary immediate impact is integrity loss and service disruption, but deletion of security-relevant files may also weaken the target environment.

Mitigation

If you can’t patch tonight, do this now.

Until patching or removal is completed, disable the WP-BusinessDirectory plugin or block access to the vulnerable frontend route handling task=upload.remove. Apply web application firewall or reverse proxy rules to deny requests containing task=upload.remove, _path_type=2, or traversal patterns such as ../ in _filename. Restrict filesystem permissions for the web server user to minimize the set of deletable files, and ensure backups exist for critical WordPress and server files to support recovery if exploitation occurs.

Remediation

Patch, then assume compromise.

Update WP-BusinessDirectory to a fixed version if one is available beyond 4.0.1. If no patched release is available, remove or disable the plugin. The vulnerable code should be corrected by enforcing strict path validation in the upload removal workflow, rejecting traversal sequences, canonicalizing paths before use, constraining deletion targets to an allowlisted directory, and preventing unauthenticated access to the upload.remove action unless explicitly required and securely authorized.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.