🚨 BREAKING

WordPress Plugin Download From Files: Critical Unauthenticated File Upload

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityarbitrary-file-accesscwe-306
WordPress Plugin Download From Files: Critical Unauthenticated File Upload

The National Vulnerability Database has disclosed CVE-2021-47940, a critical arbitrary file upload vulnerability impacting WordPress Plugin Download From Files version 1.48 and earlier. This flaw allows unauthenticated attackers to upload malicious files, including PHP shells, directly to the web root. The vulnerability stems from an insecure AJAX fileupload action, which can be exploited by manipulating the allowExt parameter in POST requests to the admin-ajax.php endpoint.

This is a textbook critical vulnerability (CVSS 9.8). Attackers can bypass file type restrictions, upload executable code, and achieve immediate remote code execution. The fact that it requires no authentication means any exposed instance of the plugin is a sitting duck. This isn’t theoretical; this is a direct path to web shell deployment and full site compromise.

For defenders, the implication is clear: if you run this plugin, you are exposed. An unauthenticated file upload is one of the most severe vulnerabilities a web application can have. It offers attackers a low-friction, high-impact method to gain a foothold, move laterally, and exfiltrate data. The ease of exploitation makes this a prime target for automated scanning and exploitation.

What This Means For You

  • If your organization uses the WordPress Plugin Download From Files, immediately check its version. If it's 1.48 or earlier, update it without delay. Audit your web server logs for POST requests to `admin-ajax.php` with the `download_from_files_617_fileupload` action, especially looking for unusual file uploads or PHP files in unexpected directories.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Web Shells Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2021-47940 - WordPress Download From Files Unauthenticated File Upload

Sigma YAML — free preview 
title: CVE-2021-47940 - WordPress Download From Files Unauthenticated File Upload
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
  Detects the specific AJAX action 'download_from_files_617_fileupload' used in CVE-2021-47940 to upload arbitrary files. The presence of 'allowExt=' in the query string indicates an attempt to bypass file type restrictions, a key indicator of this vulnerability exploitation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2021-47940/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'action=download_from_files_617_fileupload'
      cs-uri-query|contains:
          - 'allowExt='
  selection_base:
      uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'action=download_from_files_617_fileupload'
  selection_indicators:
      cs-uri-query|contains:
          - 'allowExt='
  condition: selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2021-47940 Arbitrary File Upload WordPress Plugin Download From Files version 1.48 and earlier
CVE-2021-47940 Arbitrary File Upload AJAX fileupload action
CVE-2021-47940 Arbitrary File Upload POST requests to admin-ajax.php endpoint with action=download_from_files_617_fileupload
CVE-2021-47940 Arbitrary File Upload Manipulation of 'allowExt' parameter to bypass file type restrictions
CVE-2021-47940 RCE Upload of executable files (e.g., PHP shells) to web root

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 10, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection

CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)

CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-59
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 3 Sigma

TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands

CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma