CVE Catalog

CVE-2021-47933

Critical
Published: Translated: NVD NIST

Summary

WordPress MStore API version 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.

Risk Assessment

This vulnerability poses a serious risk to organizations, allowing attackers to execute code remotely on the server, potentially leading to system takeover. Unsecured servers may be exposed to various attacks and data breaches.

Recommendation

It is recommended to update WordPress MStore API to the latest version to mitigate this vulnerability. Additionally, implementing security measures such as restricting file uploads to trusted types and monitoring server activity is advisable.

Original NVD description (English source)

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS