CVE-2025-32629 HIGH

CVE-2025-32629: WordPress WP-BusinessDirectory Plugin <= 3.1.2 - Arbitrary File Deletion vulnerability

Vendor Cmsjunkie - Wordpress Business Directory Plugins
Product WP-BusinessDirectory
Weakness CWE-22 · Path traversal
Published April 11, 2025
Last update April 28, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Path Traversal.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.2.

Explanation of Vulnerability in Simple Terms

02Summary

WP-BusinessDirectory versions 3.1.2 and earlier contain a path traversal vulnerability that allows unauthenticated attackers to cause the site to become unavailable. The vulnerability requires no user interaction and can be exploited over the network. Sites running affected versions should update immediately to version 4.0.2 or later.

What an attacker can do

03Attacker Capabilities

Make the site unavailable by exploiting a path traversal flaw to access or manipulate files outside intended directories.

Potential impact on your site

04Site Impact

Your site could go offline or become unstable without warning. Visitors cannot access your site until you patch the plugin.

Conditions required to exploit

05Prerequisites

None. The attacker needs only network access; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 11, 2025 CVE published
April 28, 2026 Record updated