WordPress MStore API Critical RCE: Unauthenticated File Upload
The National Vulnerability Database has detailed CVE-2021-47933, a critical arbitrary file upload vulnerability within WordPress MStore API version 2.0.6. This flaw allows unauthenticated attackers to achieve remote code execution (RCE) by sending POST requests to the REST API endpoint. Attackers can upload malicious PHP files with arbitrary names directly to the config_file endpoint.
This isn’t a complex attack. It’s a straightforward path from unauthenticated access to full server compromise, earning a CVSS score of 9.8 (Critical). The vulnerability’s nature means any attacker can exploit it without prior authentication or user interaction, making it highly attractive for widespread automated attacks targeting vulnerable WordPress instances.
For defenders, this is a red alert for any WordPress site running the MStore API plugin. The ease of exploitation means these systems are sitting ducks if not patched. Attackers are constantly scanning for low-hanging fruit like this; a critical RCE in a popular platform is prime real estate for initial access brokers and botnets.
What This Means For You
- If your organization uses WordPress with the MStore API plugin, specifically version 2.0.6, you are critically exposed. Immediately identify all instances running this plugin and ensure they are patched or updated to a secure version. Audit web server logs for any suspicious POST requests to `/wp-json/mstore-api/v2/config_file` or unusual file uploads in your WordPress installation directory.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47933: MStore API Unauthenticated File Upload
title: CVE-2021-47933: MStore API Unauthenticated File Upload
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
Detects unauthenticated POST requests to the MStore API's config_file endpoint, indicative of the arbitrary file upload vulnerability exploited in CVE-2021-47933. Successful exploitation allows attackers to upload malicious PHP files for remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47933/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method:
- 'POST'
uri|contains:
- '/wp-json/mstcore/v1/config_file'
sc-status:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47933 | RCE | WordPress MStore API 2.0.6 |
| CVE-2021-47933 | Arbitrary File Upload | POST requests to REST API endpoint |
| CVE-2021-47933 | Arbitrary File Upload | Upload PHP files to config_file endpoint |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 10, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection
CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...
CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)
CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...
TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands
CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...