PatchSiren cyber security CVE debrief
CVE-2021-47979 Wordpress CVE debrief
CVE-2021-47979 describes an authenticated arbitrary file deletion issue in the WordPress plugin Backup and Restore 1.0.3. According to the supplied CVE description and NVD data, an attacker can send crafted POST requests to admin-ajax.php and manipulate the file_name and folder_name parameters to delete files from the WordPress installation directory. Because file deletion can damage site availability and potentially remove security-critical files, this issue is high risk for any environment running the affected plugin. The supplied record maps the weakness to CWE-22 and assigns a high severity score (CVSS 8.7).
- Vendor
- Wordpress
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
WordPress administrators, site owners, managed hosting providers, and security teams responsible for plugins installed on WordPress sites should care most. Any environment using Backup and Restore 1.0.3 should be treated as potentially affected until it is confirmed removed or updated.
Technical summary
The vulnerability is an authenticated arbitrary file deletion flaw in Backup and Restore 1.0.3 for WordPress. The supplied description states that POST requests to admin-ajax.php can be crafted with attacker-controlled file_name and folder_name parameters to delete arbitrary files within the WordPress installation directory. NVD associates the issue with CWE-22 (path traversal / improper limitation of a pathname to a restricted directory), consistent with file-system boundary abuse.
Defensive priority
High. The impact is immediate and destructive because file deletion can disrupt site availability and may remove configuration or application files. Prioritize any instance of the affected plugin for verification, update, or removal.
Recommended defensive actions
- Verify whether Backup and Restore 1.0.3 is installed on any WordPress instance in your estate.
- If present, remove the plugin or replace it with a version confirmed by the vendor to address the issue.
- Review WordPress and web server logs for suspicious POST requests to admin-ajax.php involving Backup and Restore actions or unusual file_name and folder_name values.
- Check the integrity of the WordPress installation directory and restore any missing or altered files from known-good backups.
- Restrict plugin installation and administration privileges to trusted operators only, and limit exposure of administrative interfaces where feasible.
- Monitor for repeated file-deletion attempts or unexpected filesystem changes after remediation.
Evidence notes
This debrief is based only on the supplied CVE description and NVD source item metadata. The record identifies authenticated arbitrary file deletion in WordPress plugin Backup and Restore 1.0.3, triggered through crafted admin-ajax.php POST requests using file_name and folder_name parameters. The supplied metadata lists CWE-22 and CVSS 4.0 vector data, and the references include the plugin page, a VulnCheck advisory, and NVD/CVE records. No exploit steps beyond the public description are included.
Official resources
The supplied CVE and source item metadata are dated 2026-05-16. This debrief uses those supplied dates for timeline context only and does not infer any separate publication or review date.