{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/download-from-files-plugin--1.48/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2021-47940"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Download From Files Plugin \u003c= 1.48"],"_cs_severities":["critical"],"_cs_tags":["cve-2021-47940","wordpress","file upload","rce","plugin vulnerability"],"_cs_type":"threat","_cs_vendors":["wordpress.org"],"content_html":"\u003cp\u003eCVE-2021-47940 is an arbitrary file upload vulnerability affecting WordPress Plugin Download From Files version 1.48 and earlier. The vulnerability allows unauthenticated attackers to upload malicious files to a vulnerable WordPress installation. By sending a crafted POST request to the \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint, an attacker can leverage the \u003ccode\u003edownload_from_files_617_fileupload\u003c/code\u003e action and manipulate the \u003ccode\u003eallowExt\u003c/code\u003e parameter to bypass file type restrictions. This can lead to the upload of arbitrary files, including executable files like PHP shells, to the web root directory, potentially leading to remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Download From Files plugin (\u0026lt;= 1.48).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edownload_from_files_617_fileupload\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003eallowExt\u003c/code\u003e parameter within the POST request to include or exclude specific file extensions, bypassing intended file type restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious file, such as a PHP shell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e), via the crafted POST request.\u003c/li\u003e\n\u003cli\u003eThe server saves the uploaded file to a predictable location within the WordPress web root (e.g., \u003ccode\u003ewp-content/uploads/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded PHP shell via a direct HTTP request to the file\u0026rsquo;s URL (e.g., \u003ccode\u003ehttps://example.com/wp-content/uploads/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server via the uploaded PHP shell, potentially compromising the entire WordPress installation and the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47940 allows unauthenticated attackers to upload arbitrary files, including PHP shells, to vulnerable WordPress sites. This can lead to complete compromise of the affected WordPress installation, allowing attackers to execute arbitrary code, deface the website, steal sensitive data, or use the server for malicious purposes. The CVSS v3.1 base score for this vulnerability is 9.8 (Critical).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Download From Files plugin to a version greater than 1.48 to patch CVE-2021-47940.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to exploit CVE-2021-47940 by monitoring for POST requests to \u003ccode\u003eadmin-ajax.php\u003c/code\u003e with the \u003ccode\u003edownload_from_files_617_fileupload\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter requests containing suspicious file extensions or attempting to bypass file upload restrictions.\u003c/li\u003e\n\u003cli\u003eRegularly scan WordPress installations for vulnerable plugins and apply updates promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:19:25Z","date_published":"2026-05-10T13:19:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47940-wordpress-upload/","summary":"WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability (CVE-2021-47940) that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action.","title":"CVE-2021-47940: WordPress Download From Files Plugin Arbitrary File Upload","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47940-wordpress-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Download From Files Plugin \u003c= 1.48","version":"https://jsonfeed.org/version/1.1"}