External risk intelligence

WordPress plugin allows attackers to upload malicious files to take control.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2021-47940

WordPress plugin Download From Files allows unauthenticated attackers to upload malicious files, potentially leading to server compromise. This critical flaw is internet-facing and affects websites using version 1.48 and earlier.

4Halo Surface Signal

Missing Authentication

External exposure likelihood

Halo Surface Signal score for CVE-2021-47940

The vulnerability resides in a WordPress plugin used within web applications. WordPress sites are commonly deployed as internet-facing web services. The vulnerable AJAX endpoint is directly accessible via standard web requests, exposing this functionality to the internet in any typical public-facing WordPress deployment.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability allows unauthenticated attackers to upload malicious files to a WordPress website. By exploiting a specific function within the Download From Files plugin, attackers can bypass security checks and place harmful executables on the server, potentially leading to a full compromise.

  • Websites using this plugin are at risk.
  • Attackers can gain control of the web server.
  • The issue is reachable from the internet.

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can exploit this flaw by targeting the `admin-ajax.php` endpoint in the WordPress Plugin Download From Files, version 1.48 and earlier. By manipulating parameters, they can upload and execute malicious files on the web server, gaining control.

  • Targets `admin-ajax.php` endpoint.
  • Uploads malicious PHP shells.
  • No authentication required.

Live Threat

Current exploitation, exposure, and threat context

This arbitrary file upload vulnerability in a popular WordPress plugin is a significant concern for exposed web servers. Attackers can leverage this flaw to upload malicious files, potentially leading to full system compromise without prior authentication. The widespread use of WordPress and the direct accessibility of the vulnerable endpoint make it an attractive target.

  • Unauthenticated remote code execution possible.
  • Public exploit code exists.
  • Vulnerability is relatively recent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate containment for the WordPress Download From Files plugin, as unauthenticated users can upload malicious files. Review logs for exploitation attempts targeting the admin-ajax.php endpoint and analyze the reachability of affected services.

  • Block traffic to admin-ajax.php.
  • Isolate affected WordPress instances.
  • Monitor for unusual file uploads.

Frequently asked questions

What is the WordPress Plugin Download From Files?

The WordPress Plugin Download From Files is a component designed for WordPress websites to facilitate the management and distribution of downloadable files. It empowers website administrators to upload various digital assets, such as documents or software, and make them accessible to site visitors.

What type of vulnerability is CVE-2021-47940 and what is its weakness classification?

CVE-2021-47940 represents an arbitrary file upload vulnerability. This weakness is classified under CWE-306, Missing Authentication for Critical Function, indicating that critical functions lack proper authentication.

How can an attacker exploit the arbitrary file upload vulnerability in Download From Files?

Attackers can exploit this by sending POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action. By manipulating the allowExt parameter, they can bypass file type restrictions and upload executable files, such as PHP shells, to the web server.

What is the relevance of CVE-2021-47940 to web applications?

This arbitrary file upload vulnerability in a WordPress plugin is a significant concern for exposed web servers. Attackers can leverage this flaw to upload malicious files, potentially leading to full system compromise without prior authentication, making it a critical threat for internet-facing WordPress sites.

What steps should be taken to address the WordPress Download From Files vulnerability?

Immediate containment is crucial for the WordPress Download From Files plugin due to the risk of unauthenticated malicious file uploads. Administrators should review logs for exploitation attempts targeting the admin-ajax.php endpoint and assess the reachability of affected services to determine appropriate isolation or blocking measures.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified