CVE-2021-47933
Received Received - Intake

Arbitrary File Upload in WordPress MStore API Plugin

Vulnerability report for CVE-2021-47933, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-07-11
AI Q&A
2026-05-10
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in WordPress MStore API 2.0.6 allows unauthenticated attackers to upload malicious PHP files and achieve remote code execution on the server. This can lead to unauthorized access and control over the affected system.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access and breaches.

However, the provided context and resources do not explicitly mention the direct impact of this vulnerability on compliance with these standards or any specific regulatory consequences.

Detection Guidance

This vulnerability can be detected by sending a request to the REST API endpoint /wp-json/api/flutter_woo/config_file and checking the response for specific indicators.

An exploit script described in Resource 1 checks if the target is vulnerable by verifying if the response contains the phrase "Key must be."

A simple detection command using curl could be:

  • curl -X POST https://target-site.com/wp-json/api/flutter_woo/config_file -d '' -i

If the response contains the string "Key must be," it indicates the presence of the vulnerability.

Executive Summary

CVE-2021-47933 is a critical vulnerability in the WordPress MStore API plugin version 2.0.6 that allows unauthenticated attackers to upload arbitrary files, including malicious PHP files, by sending specially crafted POST requests to the REST API endpoint named "config_file."

This arbitrary file upload flaw enables attackers to place malicious PHP shells on the server, which can then be executed remotely, leading to full remote code execution on the affected server.

The vulnerability arises due to missing authentication on a critical function, allowing anyone to exploit it without needing valid credentials.

Impact Analysis

This vulnerability can have severe impacts including allowing attackers to gain full control over the affected server by uploading and executing malicious PHP files.

  • Remote code execution on the server.
  • Potential complete compromise of the website and underlying infrastructure.
  • Unauthorized access to sensitive data and system resources.
  • Possible disruption of website services or data loss.
Mitigation Strategies

Immediate mitigation steps include updating the WordPress MStore API plugin to a version that has patched this vulnerability.

If an update is not immediately available, restrict access to the vulnerable REST API endpoint /wp-json/api/flutter_woo/config_file to trusted users or IP addresses.

Additionally, monitor your server for any suspicious file uploads, especially PHP files in unexpected locations.

Implementing a Web Application Firewall (WAF) rule to block unauthorized POST requests to the vulnerable endpoint can also help mitigate exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart