Skip to content
Threat Feed
high advisory

WordPress Backup and Restore Plugin Arbitrary File Deletion (CVE-2021-47979)

WordPress Backup and Restore plugin 1.0.3 contains an arbitrary file deletion vulnerability (CVE-2021-47979) allowing authenticated attackers to delete files by manipulating parameters in AJAX requests to admin-ajax.php.

The WordPress Backup and Restore plugin version 1.0.3 is vulnerable to an arbitrary file deletion vulnerability (CVE-2021-47979). This vulnerability allows authenticated attackers, with at least low privileges, to delete arbitrary files on the WordPress server. The attack involves crafting POST requests to the admin-ajax.php endpoint with specifically manipulated file_name and folder_name parameters. Successful exploitation leads to arbitrary file deletion, potentially causing significant data loss and service disruption for the affected WordPress site. This vulnerability was reported on May 16, 2026.

Attack Chain

  1. The attacker authenticates to the WordPress application with low-level privileges.
  2. The attacker crafts a malicious POST request targeting the admin-ajax.php endpoint.
  3. The POST request includes parameters action set to the vulnerable plugin’s AJAX action hook, and file_name and folder_name parameters specifying the target file for deletion.
  4. The WordPress server processes the request without proper validation of the file_name and folder_name parameters.
  5. The plugin’s code constructs a file path using the provided parameters.
  6. The plugin’s code calls the PHP unlink() function with the constructed file path, attempting to delete the specified file.
  7. If the attacker-controlled path is accessible to the WordPress process, the file is deleted from the server.
  8. The attacker repeats this process to delete multiple files, causing data loss or potentially disrupting the website functionality.

Impact

Successful exploitation of CVE-2021-47979 allows an attacker to delete arbitrary files within the WordPress installation directory. This can lead to significant data loss, including critical website files, database backups, and uploaded media. The impact can range from defacement to complete website unavailability, potentially affecting businesses relying on the WordPress platform.

Recommendation

  • Upgrade the WordPress Backup and Restore plugin to a version that patches CVE-2021-47979 if a patch is available.
  • Deploy the Sigma rule “Detect CVE-2021-47979 Exploitation Attempt via WordPress admin-ajax.php” to detect malicious POST requests to admin-ajax.php with suspicious file_name and folder_name parameters.
  • Implement strict file access controls on the WordPress server to limit the files that the WordPress process can access and delete.

Detection coverage 2

Detect CVE-2021-47979 Exploitation Attempt via WordPress admin-ajax.php

high

Detects CVE-2021-47979 exploitation — attempts to exploit arbitrary file deletion in WordPress Backup and Restore plugin via admin-ajax.php.

sigma tactics: defense_evasion, persistence techniques: T1068, T1547.004 sources: webserver

Detect WordPress admin-ajax.php File Parameter Manipulation

medium

Detects manipulation of file parameters in requests to WordPress's admin-ajax.php, potentially indicating file inclusion or deletion attacks.

sigma tactics: initial_access techniques: T1190, T1547.004 sources: webserver

Detection queries are available on the platform. Get full rules →