PatchSiren cyber security CVE debrief
CVE-2026-39591 CMSJunkie – WordPress Business Directory Plugins CVE debrief
A critical vulnerability (CVSS Score: 9.9) was discovered in the WP-BusinessDirectory plugin, version <= 4.0.0. This vulnerability allows subscribers to upload arbitrary files, potentially leading to severe consequences.
- Vendor
- CMSJunkie – WordPress Business Directory Plugins
- Product
- WP-BusinessDirectory
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of WordPress sites utilizing the WP-BusinessDirectory plugin version 4.0.0 or earlier should be aware of this vulnerability.
Technical summary
The WP-BusinessDirectory plugin, version <= 4.0.0, is vulnerable to arbitrary file uploads by subscribers. This issue has been assigned a CVSS score of 9.9, indicating a critical severity level.
Defensive priority
High
Recommended defensive actions
- Update WP-BusinessDirectory plugin to a version greater than 4.0.0.
- Review and restrict file upload permissions for subscribers.
- Monitor your WordPress site for suspicious file uploads.
Evidence notes
Evidence suggests that this vulnerability exists in WP-BusinessDirectory plugin versions <= 4.0.0.
Official resources
-
CVE-2026-39591 CVE record
CVE.org
-
CVE-2026-39591 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39591 was published on [2026-06-15T21:16:48.043Z](https://www.cve.org/CVERecord?id=CVE-2026-39591) and modified on [2026-06-15T21:24:32.790Z](https://nvd.nist.gov/vuln/detail/CVE-2026-39591).