{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2021-47977/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2021-47977"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Anti-Malware Security and Bruteforce Firewall 4.20.59"],"_cs_severities":["high"],"_cs_tags":["directory-traversal","wordpress","plugin","cve-2021-47977"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2021-47977 is a directory traversal vulnerability affecting version 4.20.59 of the WordPress Anti-Malware Security and Bruteforce Firewall plugin. Unauthenticated attackers can exploit this vulnerability to read arbitrary files on the server by crafting malicious requests to the \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint. The vulnerability is triggered when the \u003ccode\u003eduplicator_download\u003c/code\u003e action is called with a manipulated \u003ccode\u003efile\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e). Successful exploitation allows attackers to access sensitive files outside the intended directory, potentially exposing configuration files, database credentials, or other sensitive information. This vulnerability poses a significant risk to WordPress websites using the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using Anti-Malware Security and Bruteforce Firewall version 4.20.59.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeting the \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eduplicator_download\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003efile\u003c/code\u003e parameter within the POST request to include path traversal sequences (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request through the vulnerable plugin.\u003c/li\u003e\n\u003cli\u003eThe plugin fails to properly sanitize or validate the \u003ccode\u003efile\u003c/code\u003e parameter, allowing the path traversal sequence to be processed.\u003c/li\u003e\n\u003cli\u003eThe server attempts to read the file specified by the manipulated path.\u003c/li\u003e\n\u003cli\u003eThe contents of the targeted file are returned in the HTTP response, allowing the attacker to read arbitrary files on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this directory traversal vulnerability (CVE-2021-47977) allows unauthenticated attackers to read arbitrary files on the affected WordPress server. This could lead to the disclosure of sensitive information such as database credentials, configuration files, or other sensitive data stored on the system. The impact of this vulnerability is significant, as it could enable attackers to gain unauthorized access to the website\u0026rsquo;s database or other critical resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2021-47977 Exploitation Attempt - WordPress Anti-Malware Directory Traversal\u0026rdquo; to your SIEM to detect exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eInspect webserver logs for suspicious POST requests to \u003ccode\u003eadmin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eduplicator_download\u003c/code\u003e and the \u003ccode\u003efile\u003c/code\u003e parameter containing path traversal sequences, as highlighted in the Sigma rule (logsource: webserver, cs-uri-stem, cs-uri-query).\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter requests containing path traversal sequences to mitigate the risk of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:22:23Z","date_published":"2026-05-16T16:22:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-anti-malware-traversal/","summary":"WordPress Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability (CVE-2021-47977) that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter in requests to admin-ajax.php.","title":"WordPress Anti-Malware Security and Bruteforce Firewall Directory Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-anti-malware-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2021-47977","version":"https://jsonfeed.org/version/1.1"}