Attack Chain

1. An unauthenticated attacker identifies a WordPress site using the vulnerable Download From Files plugin (<= 1.48).
2. The attacker crafts a malicious POST request targeting the admin-ajax.php endpoint.
3. The POST request includes the action parameter set to download_from_files_617_fileupload.
4. The attacker manipulates the allowExt parameter within the POST request to include or exclude specific file extensions, bypassing intended file type restrictions.
5. The attacker uploads a malicious file, such as a PHP shell (e.g., shell.php), via the crafted POST request.
6. The server saves the uploaded file to a predictable location within the WordPress web root (e.g., wp-content/uploads/).
7. The attacker accesses the uploaded PHP shell via a direct HTTP request to the file’s URL (e.g., https://example.com/wp-content/uploads/shell.php).
8. The attacker executes arbitrary code on the server via the uploaded PHP shell, potentially compromising the entire WordPress installation and the underlying server.

Impact

Successful exploitation of CVE-2021-47940 allows unauthenticated attackers to upload arbitrary files, including PHP shells, to vulnerable WordPress sites. This can lead to complete compromise of the affected WordPress installation, allowing attackers to execute arbitrary code, deface the website, steal sensitive data, or use the server for malicious purposes. The CVSS v3.1 base score for this vulnerability is 9.8 (Critical).

Recommendation

• Upgrade the Download From Files plugin to a version greater than 1.48 to patch CVE-2021-47940.
• Deploy the Sigma rule provided to detect attempts to exploit CVE-2021-47940 by monitoring for POST requests to admin-ajax.php with the download_from_files_617_fileupload action.
• Implement web application firewall (WAF) rules to filter requests containing suspicious file extensions or attempting to bypass file upload restrictions.
• Regularly scan WordPress installations for vulnerable plugins and apply updates promptly.