External risk intelligence

WordPress MStore API allows attackers to upload files and take control of your server.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2021-47933

WordPress MStore API has a critical flaw letting attackers upload malicious files and take over your website server without needing a login.

4Halo Surface Signal

Missing Authentication

External exposure likelihood

Halo Surface Signal score for CVE-2021-47933

The vulnerability exists within a WordPress plugin's REST API endpoint. Because this is a web application component, the vulnerable interface is reachable over the internet as part of the standard deployment of the hosting website, making the attack surface commonly exposed by design.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the WordPress MStore API allows unauthenticated attackers to upload malicious files. This could lead to remote code execution on the server, giving attackers control over your site.

  • Allows unauthenticated attackers to upload files.
  • Can lead to remote code execution.
  • Affects the MStore API plugin.

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can exploit this flaw by uploading arbitrary PHP files to a WordPress site's REST API. This allows them to execute malicious code on the server, potentially taking full control of the compromised system. The vulnerability resides within the MStore API plugin's `config_file` endpoint.

  • No authentication required.
  • Target: MStore API REST endpoint.
  • Upload PHP file to config_file.

Live Threat

Current exploitation, exposure, and threat context

This WordPress plugin vulnerability allows unauthenticated attackers to upload arbitrary files, leading to remote code execution. The ease of exploitation and broad reach make it a prime target for automated attacks and campaigns aiming to compromise web servers. While the plugin is widely used, there are no immediate signals of widespread exploitation, suggesting attackers may not yet be prioritizing this specific vector.

  • Public exploit exists.
  • No active KEV signals.
  • Recency signals are weak.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking all unauthenticated POST requests to the MStore API's `config_file` endpoint. Review logs for any unauthorized file uploads or suspicious PHP execution attempts. Immediately investigate and isolate any identified affected WordPress instances.

  • Block `config_file` endpoint POST requests.
  • Search logs for unexpected PHP files.
  • Isolate compromised systems.

Frequently asked questions

What is the MStore API for WordPress and what does it do?

The MStore API is a plugin for WordPress that enables file uploads through its REST API. It is designed to manage and transfer files within a WordPress environment, which can be utilized for purposes such as e-commerce or content management.

What type of weakness does CVE-2021-47933 represent and how does it work?

CVE-2021-47933 is classified as an arbitrary file upload vulnerability. This security flaw permits an attacker to upload files of their choice to the targeted system. Once uploaded, these files can be executed, potentially granting the attacker control over the server.

What are the specific conditions required for an attacker to exploit this arbitrary file upload flaw?

To exploit this vulnerability, an attacker must send POST requests to the MStore API's REST API endpoint. The specific target for exploitation is the `config_file` endpoint, where malicious PHP files can be uploaded with arbitrary names.

What is the relevance of CVE-2021-47933 given its presence in a WordPress plugin's REST API?

The relevance of CVE-2021-47933 stems from its location within a WordPress plugin's REST API. This makes the vulnerable interface accessible over the internet as part of a standard website deployment, exposing a commonly used component to potential attackers. [cite:haloSurfaceSignal]

What practical steps should be taken to respond to the arbitrary file upload vulnerability in MStore API?

To address this vulnerability, it is recommended to block all unauthenticated POST requests directed at the MStore API's `config_file` endpoint. Additionally, system administrators should meticulously review logs for any signs of unauthorized file uploads or suspicious PHP execution attempts, and promptly investigate and isolate any WordPress instances confirmed to be affected.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified