Backup and Restore — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/backup-and-restore/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 16 May 2026 16:23:42 +0000WordPress Backup and Restore Plugin Arbitrary File Deletion (CVE-2021-47979)https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47979-wordpress-file-deletion/Sat, 16 May 2026 16:23:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2021-47979-wordpress-file-deletion/WordPress Backup and Restore plugin 1.0.3 contains an arbitrary file deletion vulnerability (CVE-2021-47979) allowing authenticated attackers to delete files by manipulating parameters in AJAX requests to admin-ajax.php.The WordPress Backup and Restore plugin version 1.0.3 is vulnerable to an arbitrary file deletion vulnerability (CVE-2021-47979). This vulnerability allows authenticated attackers, with at least low privileges, to delete arbitrary files on the WordPress server. The attack involves crafting POST requests to the admin-ajax.php endpoint with specifically manipulated file_name and folder_name parameters. Successful exploitation leads to arbitrary file deletion, potentially causing significant data loss and service disruption for the affected WordPress site. This vulnerability was reported on May 16, 2026.

Attack Chain

  1. The attacker authenticates to the WordPress application with low-level privileges.
  2. The attacker crafts a malicious POST request targeting the admin-ajax.php endpoint.
  3. The POST request includes parameters action set to the vulnerable plugin’s AJAX action hook, and file_name and folder_name parameters specifying the target file for deletion.
  4. The WordPress server processes the request without proper validation of the file_name and folder_name parameters.
  5. The plugin’s code constructs a file path using the provided parameters.
  6. The plugin’s code calls the PHP unlink() function with the constructed file path, attempting to delete the specified file.
  7. If the attacker-controlled path is accessible to the WordPress process, the file is deleted from the server.
  8. The attacker repeats this process to delete multiple files, causing data loss or potentially disrupting the website functionality.

Impact

Successful exploitation of CVE-2021-47979 allows an attacker to delete arbitrary files within the WordPress installation directory. This can lead to significant data loss, including critical website files, database backups, and uploaded media. The impact can range from defacement to complete website unavailability, potentially affecting businesses relying on the WordPress platform.

Recommendation

  • Upgrade the WordPress Backup and Restore plugin to a version that patches CVE-2021-47979 if a patch is available.
  • Deploy the Sigma rule “Detect CVE-2021-47979 Exploitation Attempt via WordPress admin-ajax.php” to detect malicious POST requests to admin-ajax.php with suspicious file_name and folder_name parameters.
  • Implement strict file access controls on the WordPress server to limit the files that the WordPress process can access and delete.
]]>highadvisorywordpressfile-deletioncve-2021-47979