CVE-2021-47933
Arbitrary File Upload in WordPress MStore API Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a request to the REST API endpoint /wp-json/api/flutter_woo/config_file and checking the response for specific indicators.
An exploit script described in Resource 1 checks if the target is vulnerable by verifying if the response contains the phrase "Key must be."
A simple detection command using curl could be:
- curl -X POST https://target-site.com/wp-json/api/flutter_woo/config_file -d '' -i
If the response contains the string "Key must be," it indicates the presence of the vulnerability.
Can you explain this vulnerability to me?
CVE-2021-47933 is a critical vulnerability in the WordPress MStore API plugin version 2.0.6 that allows unauthenticated attackers to upload arbitrary files, including malicious PHP files, by sending specially crafted POST requests to the REST API endpoint named "config_file."
This arbitrary file upload flaw enables attackers to place malicious PHP shells on the server, which can then be executed remotely, leading to full remote code execution on the affected server.
The vulnerability arises due to missing authentication on a critical function, allowing anyone to exploit it without needing valid credentials.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to gain full control over the affected server by uploading and executing malicious PHP files.
- Remote code execution on the server.
- Potential complete compromise of the website and underlying infrastructure.
- Unauthorized access to sensitive data and system resources.
- Possible disruption of website services or data loss.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WordPress MStore API plugin to a version that has patched this vulnerability.
If an update is not immediately available, restrict access to the vulnerable REST API endpoint /wp-json/api/flutter_woo/config_file to trusted users or IP addresses.
Additionally, monitor your server for any suspicious file uploads, especially PHP files in unexpected locations.
Implementing a Web Application Firewall (WAF) rule to block unauthorized POST requests to the vulnerable endpoint can also help mitigate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in WordPress MStore API 2.0.6 allows unauthenticated attackers to upload malicious PHP files and achieve remote code execution on the server. This can lead to unauthorized access and control over the affected system.
Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access and breaches.
However, the provided context and resources do not explicitly mention the direct impact of this vulnerability on compliance with these standards or any specific regulatory consequences.