CVE-2025-32629 Overview
CVE-2025-32629 is a path traversal vulnerability in the CMSJunkie WP-BusinessDirectory plugin for WordPress. The flaw affects all versions of wp-businessdirectory up to and including 3.1.2. The vulnerability maps to [CWE-22], improper limitation of a pathname to a restricted directory, and enables arbitrary file deletion on affected WordPress sites.
According to the Patchstack advisory, an unauthenticated remote attacker can traverse outside the intended directory and delete files on the server. Deleting key WordPress files such as wp-config.php can disrupt site availability and create conditions for full site takeover.
Critical Impact
Unauthenticated remote attackers can delete arbitrary files on the WordPress server, leading to denial of service and potential site compromise.
Affected Products
- CMSJunkie WP-BusinessDirectory plugin for WordPress
- WP-BusinessDirectory versions from initial release through 3.1.2
- WordPress sites running the wp-businessdirectory plugin
Discovery Timeline
- 2025-04-11 - CVE-2025-32629 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-32629
Vulnerability Analysis
The WP-BusinessDirectory plugin fails to properly validate or sanitize file path input supplied to a file deletion routine. An attacker can submit crafted input containing directory traversal sequences such as ../ to escape the plugin's intended working directory. The plugin then operates on the resolved path, allowing files outside the plugin scope to be removed.
Because the attack vector is network-based and requires no authentication or user interaction, exploitation only requires reaching the vulnerable plugin endpoint over HTTP or HTTPS. The flaw produces a scope change because deleting WordPress core files, plugin files, or configuration files affects resources beyond the plugin's own data.
Deletion of wp-config.php is a known escalation path. When WordPress detects a missing configuration file on the next request, it can enter the installation flow, allowing an attacker to point the site at an attacker-controlled database and gain administrative control.
Root Cause
The root cause is missing path canonicalization and allowlist validation on file paths supplied to a delete operation. User-controlled input flows into a filesystem function without verifying that the resolved path resides within the plugin's permitted directory.
Attack Vector
The attacker sends an unauthenticated HTTP request to the vulnerable plugin endpoint with a path parameter containing traversal sequences. The plugin resolves the path relative to its working directory, follows the traversal, and deletes the targeted file. No credentials, tokens, or user interaction are required.
No verified public proof-of-concept code is available at this time. See the Patchstack Vulnerability Report for technical details.
Detection Methods for CVE-2025-32629
Indicators of Compromise
- HTTP requests to WP-BusinessDirectory endpoints containing ../, ..%2f, or URL-encoded traversal sequences in parameters referencing file paths
- Missing or recently deleted WordPress core files, including wp-config.php, index.php, or .htaccess
- WordPress unexpectedly displaying the initial setup or installation screen to visitors
- Web server error logs showing file-not-found errors for files that previously existed
Detection Strategies
- Inspect web server access logs for requests targeting wp-businessdirectory plugin paths with path parameters or query strings containing traversal patterns
- Run file integrity monitoring against the WordPress installation to flag unexpected deletions of core files, plugin files, and configuration files
- Alert on WordPress installation-state requests such as /wp-admin/install.php from external sources following plugin activity
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized log platform and apply rules matching traversal payloads against wp-businessdirectory request paths
- Monitor filesystem audit events for unlink operations on wp-config.php and other root-level WordPress files originating from the PHP worker process
- Track plugin version inventory across managed WordPress sites and alert on instances running wp-businessdirectory version 3.1.2 or earlier
How to Mitigate CVE-2025-32629
Immediate Actions Required
- Update WP-BusinessDirectory to a version newer than 3.1.2 once the vendor publishes a fixed release, per the Patchstack advisory
- Deactivate and remove the wp-businessdirectory plugin on any site where a patched version is not yet available
- Restore deleted files from backup and verify the integrity of wp-config.php and other WordPress core files
- Rotate WordPress administrator credentials, database credentials, and secret keys if file deletion has been observed
Patch Information
Consult the Patchstack Vulnerability Report for current fix availability. Affected versions include all releases up to and including 3.1.2. Apply the vendor patch as soon as it is released and verify the plugin version after updating.
Workarounds
- Block requests to WP-BusinessDirectory endpoints containing path traversal patterns using a web application firewall rule that inspects parameters for .. sequences and URL-encoded variants
- Restrict filesystem permissions so the PHP worker account cannot delete WordPress core files outside the plugin directory where feasible
- Place the WordPress site behind authentication or IP allowlisting until the plugin is patched or removed
# Example ModSecurity rule to block path traversal against wp-businessdirectory
SecRule REQUEST_URI "@contains wp-businessdirectory" \
"id:1003263,\
phase:2,\
chain,\
deny,\
status:403,\
msg:'CVE-2025-32629 path traversal attempt against WP-BusinessDirectory'"
SecRule ARGS|REQUEST_URI "@rx (\.\./|\.\.%2f|%2e%2e/|%2e%2e%2f)" \
"t:none,t:lowercase,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
