CVE-2021-47933 WordPress MStore API 2.0.6 Arbitrary File Upload
Details
CVSS v3
9.8
Affected versions
WordPress MStore API 2.0.6
Summary
This vulnerability allows unauthenticated remote attackers to upload arbitrary malicious files to vulnerable web servers. The flaw exists in the plugin's REST API endpoint that accepts unauthenticated POST requests. Successful exploitation leads to full remote code execution on the target server.
Remediation
Update the MStore API plugin to a patched non-vulnerable version immediately if an update is available. If no patch is available, remove the plugin and block public access to its endpoint via web server configuration. Audit the server for unauthorized files or malicious activity.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.