PatchSiren cyber security CVE debrief
CVE-2021-47977 Gotmls CVE debrief
CVE-2021-47977 describes a high-severity directory traversal issue in the WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59. According to the supplied record, an unauthenticated attacker can manipulate the file parameter in the duplicator_download action over admin-ajax.php to read arbitrary files outside the intended directory. The supplied CVSS v4.0 vector indicates a network-exploitable confidentiality impact with no authentication required.
- Vendor
- Gotmls
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
WordPress site owners, administrators, and defenders running Anti-Malware Security and Bruteforce Firewall 4.20.59 or related deployments should treat this as a priority file-disclosure issue, especially where sensitive configuration, credential, or backup files may be present on the server.
Technical summary
The vulnerability is categorized as CWE-22 (path traversal). The supplied description says the plugin’s duplicator_download action in admin-ajax.php accepts a file parameter that can be manipulated with traversal sequences, allowing access to files outside the intended directory. NVD metadata in the supplied corpus lists a CVSS v4.0 vector of AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N, consistent with unauthenticated remote file-read exposure.
Defensive priority
High. The attack requires no privileges and can expose sensitive local files remotely, so affected deployments should be assessed and remediated quickly.
Recommended defensive actions
- Confirm whether Anti-Malware Security and Bruteforce Firewall 4.20.59 is installed on any public-facing WordPress instance.
- Upgrade to a vendor-fixed version if one is available; if not, disable or remove the plugin until a safe version can be deployed.
- Review web and application logs for requests to admin-ajax.php with duplicator_download and suspicious path traversal patterns in the file parameter.
- Check whether sensitive files such as wp-config.php, backup archives, or environment files could have been exposed and rotate secrets if disclosure is suspected.
- Apply least-privilege file permissions and limit exposure of administrative endpoints where feasible.
- Validate that compensating controls such as WAF rules and monitoring are in place to detect traversal-style requests.
Evidence notes
This debrief is based only on the supplied CVE description, the NVD metadata embedded in the source item, and the listed references. The corpus names CWE-22 and describes unauthenticated file disclosure through admin-ajax.php?action=duplicator_download with traversal sequences. The vendor attribution in the supplied metadata is low-confidence and marked for review; the product/version detail comes from the provided description.
Official resources
The supplied CVE timeline shows publication and modification on 2026-05-16. The record was also surfaced through the supplied NVD modified source item and includes third-party references in its metadata.