CVE-2021-47940
Arbitrary File Upload in WordPress Download From Files Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability. This flaw allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers send specially crafted POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action. By manipulating the allowExt parameter, they can bypass file type restrictions and upload executable files such as PHP shells to the web root.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to upload and execute malicious files on the affected server. Successful exploitation can lead to remote code execution, giving attackers control over the web server. This can result in unauthorized access, data theft, website defacement, or further compromise of the hosting environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted POST requests to the vulnerable WordPress site's admin-ajax.php endpoint and checking for specific response indicators.
A detection method involves sending a POST request with the parameter action=download_from_files_617_fileupload and observing the response for the string "Sikeres", which indicates the target is vulnerable.
For example, using curl on a terminal, you can run a command similar to the following to test for vulnerability:
- curl -X POST -d "action=download_from_files_617_fileupload" https://targetsite.com/wp-admin/admin-ajax.php
If the response contains the string "Sikeres", it suggests the site is vulnerable to arbitrary file upload.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the vulnerable Download From Files plugin if it is installed on your WordPress site.
Since the plugin was permanently removed from the WordPress Plugin Directory due to this security issue, it is recommended to uninstall it completely and avoid using versions 1.48 and earlier.
Additionally, restrict access to the admin-ajax.php endpoint and monitor for suspicious POST requests with the action parameter set to download_from_files_617_fileupload.
Applying web application firewall (WAF) rules to block such malicious requests can also help mitigate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to upload malicious executable files, such as PHP shells, to the web root, enabling remote code execution. This severe security risk can lead to unauthorized access, data breaches, and potential manipulation or theft of sensitive information.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data. Organizations using the affected plugin without mitigation may face violations of these regulations due to inadequate security controls.