WordPress Plugin WP Super Edit RCE via Unrestricted File Upload
The National Vulnerability Database has detailed a critical vulnerability, CVE-2021-47965, affecting the WordPress Plugin WP Super Edit versions 2.5.4 and earlier. This flaw stems from an unrestricted file upload vulnerability within the integrated FCKeditor component. Attackers can exploit this by uploading dangerous file types without proper validation.
Specifically, the vulnerability allows for the upload of arbitrary files through the filemanager upload endpoint. This capability grants attackers remote code execution (RCE), which can lead to a complete system compromise. With a CVSS score of 9.8 (CRITICAL) and a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this is a severe issue that demands immediate attention. The ease of exploitation (low attack complexity, no privileges required, no user interaction) makes it a prime target for opportunistic attackers.
From an attacker’s perspective, this is a goldmine. Unrestricted file upload is one of the quickest routes to RCE on web applications, especially with widely deployed platforms like WordPress. Defenders need to recognize that this isn’t just a theoretical risk; it’s a direct path to full server control, enabling data exfiltration, defacement, or further lateral movement within an environment.
What This Means For You
- If your organization uses the WordPress Plugin WP Super Edit, inspect your installations immediately. Prioritize patching to a version beyond 2.5.4. If patching isn't feasible, disable or remove the plugin. Audit your web server logs for suspicious file uploads, especially in directories associated with the FCKeditor component, as this vulnerability allows for arbitrary file execution.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47965 - WordPress WP Super Edit Unrestricted File Upload
title: CVE-2021-47965 - WordPress WP Super Edit Unrestricted File Upload
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
Detects the specific file upload endpoint used by the WP Super Edit plugin's FCKeditor component for CVE-2021-47965. Successful exploitation involves uploading a malicious file (e.g., a PHP shell) through this endpoint, leading to RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47965/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-content/plugins/wp-super-edit/fckeditor/editor/filemanager/connectors/php/connector.php'
cs-method|exact:
- 'POST'
sc-status|exact:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47965 | RCE | WordPress Plugin WP Super Edit 2.5.4 and earlier |
| CVE-2021-47965 | Unrestricted File Upload | FCKeditor component in WP Super Edit |
| CVE-2021-47965 | RCE | filemanager upload endpoint |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...
Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks
CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...