PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-47940 Wordpress CVE debrief

CVE-2021-47940 describes an unauthenticated arbitrary file upload issue in the WordPress plugin Download From Files version 1.48 and earlier. The vulnerable AJAX upload flow can be abused through the admin-ajax.php endpoint by manipulating the allowExt parameter to bypass file-type restrictions and place attacker-controlled files in the web root. Because the disclosed behavior includes uploading executable files such as PHP shells, affected sites should treat this as a critical remote compromise risk.

Vendor
Wordpress
Product
Unknown
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

WordPress site owners, administrators, and managed hosting teams running the Download From Files plugin version 1.48 or earlier should prioritize this issue. Security teams that monitor plugin inventories, file-upload controls, and webroot integrity should also review it.

Technical summary

According to the supplied description and NVD metadata, the weakness is in the plugin’s AJAX fileupload action exposed via admin-ajax.php. An unauthenticated attacker can send a POST request and alter the allowExt parameter to bypass extension checks, enabling arbitrary file upload. The supplied record classifies the issue as critical (CVSS 9.3) and lists CWE-306 in NVD metadata, though the functional behavior described is file-upload control bypass rather than missing authentication.

Defensive priority

Critical. The issue is network-reachable, unauthenticated, and can result in attacker-controlled files being written to the web root. If executable content is accepted, the impact can extend to full site compromise.

Recommended defensive actions

  • Confirm whether Download From Files is installed and whether any instance is at version 1.48 or earlier.
  • Remove or disable the plugin until a fixed version is available and validated in your environment.
  • Review web server logs for suspicious POST activity to admin-ajax.php and unexpected use of the download_from_files_617_fileupload action.
  • Inspect the WordPress web root and upload directories for unexpected new files, especially PHP or other executable content.
  • If compromise is suspected, rotate credentials, review administrator accounts, and verify site integrity from a known-good backup.
  • Apply web application firewall or reverse-proxy rules to restrict suspicious AJAX upload patterns while remediation is in progress.

Evidence notes

This debrief is based only on the provided CVE description, NVD metadata, and the listed reference links. The supplied record states that Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability accessible through admin-ajax.php, with allowExt parameter manipulation enabling file-type bypass. The resource set includes the WordPress plugin page, the NVD record, and two disclosure references. NVD metadata also lists CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N and CWE-306.

Official resources

Public vulnerability record published on 2026-05-10 per the supplied CVE timeline. This debrief uses the CVE published date from the source corpus, not the generation date.