CVE-2021-47933 - WordPress MStore API Arbitrary File Upload

CVE-2021-47933 describes an arbitrary file upload vulnerability affecting the MStore API plugin for WordPress, version 2.0.6 and earlier. Unauthenticated attackers can exploit this vulnerability by sending crafted POST requests to the REST API endpoint. Successful exploitation allows the attacker to upload arbitrary files, including PHP scripts, which can then be executed on the server, leading to complete system compromise. This vulnerability poses a significant risk to websites using the affected plugin, as it provides a straightforward path for attackers to gain initial access and establish a persistent foothold. The vulnerability was reported by VulnCheck on May 10, 2026.

Attack Chain

1. The attacker identifies a WordPress site using the MStore API plugin version 2.0.6 or earlier.
2. The attacker crafts a malicious POST request targeting the /wp-json/mstore/v1/config_file REST API endpoint.
3. The POST request includes a file upload with a PHP file containing malicious code.
4. The attacker names the PHP file with an arbitrary name.
5. The server saves the uploaded PHP file to a publicly accessible directory.
6. The attacker sends an HTTP request to the uploaded PHP file’s URL.
7. The web server executes the PHP code within the uploaded file.
8. The attacker achieves remote code execution on the server, enabling further malicious activities like installing backdoors, data exfiltration, or defacement.

Impact

Successful exploitation of CVE-2021-47933 allows unauthenticated attackers to achieve remote code execution on the affected WordPress server. This could lead to complete compromise of the website, including data theft, defacement, or use of the server as a launching point for other attacks. Given the wide usage of WordPress and its plugins, this vulnerability could potentially affect thousands of websites if left unpatched. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level.

Recommendation

• Upgrade the MStore API plugin to a version later than 2.0.6 to patch CVE-2021-47933.
• Implement web application firewall (WAF) rules to block requests to the /wp-json/mstore/v1/config_file endpoint containing suspicious file uploads.
• Monitor web server logs for POST requests to the /wp-json/mstore/v1/config_file endpoint and review any uploaded files for malicious content.
• Deploy the Sigma rule to detect suspicious file uploads to the vulnerable endpoint.
• Restrict file upload permissions on the WordPress server to prevent arbitrary file uploads, mitigating the impact of similar vulnerabilities.