CVE-2021-47933

critical

Description

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.

References

https://www.vulncheck.com/advisories/wordpress-mstore-api-arbitrary-file-upload

https://www.exploit-db.com/exploits/50379

https://wordpress.org/plugins/mstore-api/

Details

Source: Mitre, NVD

Published: 2026-05-10

Updated: 2026-05-10

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical