{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2021-47979/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2021-47979"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Backup and Restore"],"_cs_severities":["high"],"_cs_tags":["wordpress","file-deletion","cve-2021-47979"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WordPress Backup and Restore plugin version 1.0.3 is vulnerable to an arbitrary file deletion vulnerability (CVE-2021-47979). This vulnerability allows authenticated attackers, with at least low privileges, to delete arbitrary files on the WordPress server. The attack involves crafting POST requests to the admin-ajax.php endpoint with specifically manipulated \u003ccode\u003efile_name\u003c/code\u003e and \u003ccode\u003efolder_name\u003c/code\u003e parameters. Successful exploitation leads to arbitrary file deletion, potentially causing significant data loss and service disruption for the affected WordPress site. This vulnerability was reported on May 16, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the WordPress application with low-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes parameters \u003ccode\u003eaction\u003c/code\u003e set to the vulnerable plugin\u0026rsquo;s AJAX action hook, and \u003ccode\u003efile_name\u003c/code\u003e and \u003ccode\u003efolder_name\u003c/code\u003e parameters specifying the target file for deletion.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request without proper validation of the \u003ccode\u003efile_name\u003c/code\u003e and \u003ccode\u003efolder_name\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s code constructs a file path using the provided parameters.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s code calls the PHP \u003ccode\u003eunlink()\u003c/code\u003e function with the constructed file path, attempting to delete the specified file.\u003c/li\u003e\n\u003cli\u003eIf the attacker-controlled path is accessible to the WordPress process, the file is deleted from the server.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to delete multiple files, causing data loss or potentially disrupting the website functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47979 allows an attacker to delete arbitrary files within the WordPress installation directory. This can lead to significant data loss, including critical website files, database backups, and uploaded media. The impact can range from defacement to complete website unavailability, potentially affecting businesses relying on the WordPress platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WordPress Backup and Restore plugin to a version that patches CVE-2021-47979 if a patch is available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2021-47979 Exploitation Attempt via WordPress admin-ajax.php\u0026rdquo; to detect malicious POST requests to \u003ccode\u003eadmin-ajax.php\u003c/code\u003e with suspicious \u003ccode\u003efile_name\u003c/code\u003e and \u003ccode\u003efolder_name\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eImplement strict file access controls on the WordPress server to limit the files that the WordPress process can access and delete.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:23:42Z","date_published":"2026-05-16T16:23:42Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47979-wordpress-file-deletion/","summary":"WordPress Backup and Restore plugin 1.0.3 contains an arbitrary file deletion vulnerability (CVE-2021-47979) allowing authenticated attackers to delete files by manipulating parameters in AJAX requests to admin-ajax.php.","title":"WordPress Backup and Restore Plugin Arbitrary File Deletion (CVE-2021-47979)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47979-wordpress-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2021-47979","version":"https://jsonfeed.org/version/1.1"}