WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations
The National Vulnerability Database has detailed CVE-2021-47979, a critical arbitrary file deletion vulnerability in WordPress Plugin Backup and Restore version 1.0.3. This flaw allows authenticated attackers to delete arbitrary files within a WordPress installation. The root cause is improper handling of file_name and folder_name parameters in AJAX requests, specifically to admin-ajax.php, which attackers can manipulate via POST requests.
This isn’t just a minor annoyance; an attacker with even low-level authenticated access could wipe out critical files, leading to site defacement, denial of service, or even full compromise if they target configuration files or critical scripts. The National Vulnerability Database assigns this a CVSS score of 8.8 (HIGH), reflecting the significant impact on availability, integrity, and confidentiality (CWE-22).
While the National Vulnerability Database does not specify affected products beyond the plugin itself, any organization running this specific version of the WordPress Plugin Backup and Restore is at severe risk. Defenders must understand that low-privileged access is often trivial for attackers to gain, making such vulnerabilities highly exploitable in the wild. This is a direct path to crippling a WordPress site.
What This Means For You
- If your organization uses the WordPress Plugin Backup and Restore, immediately verify if you are running version 1.0.3 or older. Patch or remove this plugin without delay. Audit your WordPress installation logs for any suspicious `admin-ajax.php` POST requests with unusual `file_name` or `folder_name` parameters, especially from authenticated but unexpected users.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2021-47979
title: Web Application Exploitation Attempt — CVE-2021-47979
id: scw-2026-05-16-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2021-47979 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-16
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47979/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2021-47979
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47979 | Arbitrary File Deletion | WordPress Plugin Backup and Restore version 1.0.3 |
| CVE-2021-47979 | Arbitrary File Deletion | POST request to admin-ajax.php with crafted file_name and folder_name parameters |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 16, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)
CVE-2021-47976 — TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload...
EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access
CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname...
CVE-2021-47954: Unauthenticated SQLi in LayerBB 1.1.4
CVE-2021-47954 — LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter....