CVE-2021-47933 | THREATINT

Description

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.

PUBLISHED Reserved 2026-02-01 | Published 2026-05-10 | Updated 2026-05-10 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Missing Authentication for Critical Function

Product status

2.0.6

affected

Credits

spacehen finder

References

www.exploit-db.com/exploits/50379 (ExploitDB-50379) exploit

wordpress.org/plugins/mstore-api/ (Official Product Homepage) product

www.vulncheck.com/...dpress-mstore-api-arbitrary-file-upload (VulnCheck Advisory: WordPress MStore API 2.0.6 Arbitrary File Upload) third-party-advisory

cve.org (CVE-2021-47933)

nvd.nist.gov (CVE-2021-47933)

Download JSON