CVE-2021-47940: WordPress Download From Files Plugin Arbitrary File Upload

CVE-2021-47940 is an arbitrary file upload vulnerability affecting WordPress Plugin Download From Files version 1.48 and earlier. The vulnerability allows unauthenticated attackers to upload malicious files to a vulnerable WordPress installation. By sending a crafted POST request to the admin-ajax.php endpoint, an attacker can leverage the download_from_files_617_fileupload action and manipulate the allowExt parameter to bypass file type restrictions. This can lead to the upload of arbitrary files, including executable files like PHP shells, to the web root directory, potentially leading to remote code execution.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using the vulnerable Download From Files plugin (<= 1.48).
2. The attacker crafts a malicious POST request targeting the admin-ajax.php endpoint.
3. The POST request includes the action parameter set to download_from_files_617_fileupload.
4. The attacker manipulates the allowExt parameter within the POST request to include or exclude specific file extensions, bypassing intended file type restrictions.
5. The attacker uploads a malicious file, such as a PHP shell (e.g., shell.php), via the crafted POST request.
6. The server saves the uploaded file to a predictable location within the WordPress web root (e.g., wp-content/uploads/).
7. The attacker accesses the uploaded PHP shell via a direct HTTP request to the file’s URL (e.g., https://example.com/wp-content/uploads/shell.php).
8. The attacker executes arbitrary code on the server via the uploaded PHP shell, potentially compromising the entire WordPress installation and the underlying server.

Impact

Successful exploitation of CVE-2021-47940 allows unauthenticated attackers to upload arbitrary files, including PHP shells, to vulnerable WordPress sites. This can lead to complete compromise of the affected WordPress installation, allowing attackers to execute arbitrary code, deface the website, steal sensitive data, or use the server for malicious purposes. The CVSS v3.1 base score for this vulnerability is 9.8 (Critical).

Recommendation

• Upgrade the Download From Files plugin to a version greater than 1.48 to patch CVE-2021-47940.
• Deploy the Sigma rule provided to detect attempts to exploit CVE-2021-47940 by monitoring for POST requests to admin-ajax.php with the download_from_files_617_fileupload action.
• Implement web application firewall (WAF) rules to filter requests containing suspicious file extensions or attempting to bypass file upload restrictions.
• Regularly scan WordPress installations for vulnerable plugins and apply updates promptly.