PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-47965 wp-super-edit CVE debrief

CVE-2021-47965 documents an unrestricted file upload vulnerability in the WordPress plugin WP Super Edit versions 2.5.4 and earlier. The vulnerability resides in the FCKeditor component, which fails to validate uploaded file types. Attackers can leverage the filemanager upload endpoint to upload arbitrary files, potentially achieving remote code execution and complete system compromise. The vulnerability was published to CVE on May 15, 2026, with subsequent modification on May 18, 2026. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high impacts to confidentiality, integrity, and availability. The weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). No known exploitation in ransomware campaigns has been documented in available sources.

Vendor
wp-super-edit
Product
Unknown
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

WordPress site administrators, security operations centers monitoring content management system threats, web hosting providers offering shared WordPress environments, and organizations utilizing WP Super Edit for content editing functionality.

Technical summary

The WP Super Edit WordPress plugin incorporates the FCKeditor rich text editor component, which includes a filemanager feature for uploading files. Versions 2.5.4 and earlier fail to implement adequate server-side validation of uploaded file extensions and content types. The filemanager upload endpoint accepts arbitrary file uploads without authentication or authorization checks in default configurations. Successful exploitation allows an unauthenticated remote attacker to upload executable web scripts (e.g., PHP files) to accessible directories within the web root. Once uploaded, these files can be directly accessed via HTTP requests, resulting in remote code execution with the privileges of the web server process. The vulnerability enables complete system compromise including data exfiltration, lateral movement, and persistent access establishment.

Defensive priority

critical

Recommended defensive actions

  • Remove or disable WP Super Edit plugin versions 2.5.4 and earlier from all WordPress installations
  • Audit web server upload directories for unexpected executable files (PHP, JSP, ASP, etc.)
  • Implement Web Application Firewall (WAF) rules to block requests to FCKeditor filemanager endpoints
  • Review and restrict file upload permissions at the web server configuration level
  • Monitor for indicators of compromise including unexpected file creation in plugin directories
  • Apply principle of least privilege to web server process accounts
  • Consider migrating to alternative editor plugins with active security maintenance

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. CVSS vector and weakness classification (CWE-434) derived from NVD metadata. Vendor attribution to WordPress plugin ecosystem based on reference domain analysis with low confidence flag for review. Exploit existence indicated by Exploit-DB reference. Advisory documentation available via VulnCheck.

Official resources

2026-05-15