CVE-2021-47933 Overview
CVE-2021-47933 is an arbitrary file upload vulnerability in the WordPress MStore API plugin version 2.0.6. The flaw allows unauthenticated attackers to upload malicious files by sending crafted POST requests to a REST API endpoint. Attackers can place PHP files with arbitrary names at the config_file endpoint, achieving remote code execution on the underlying server. The weakness is classified as [CWE-306] Missing Authentication for Critical Function. The MStore API plugin is widely deployed on WordPress sites that power mobile commerce applications, increasing the exposure surface.
Critical Impact
Unauthenticated remote attackers can upload PHP files to vulnerable WordPress sites and execute arbitrary code, leading to full server compromise.
Affected Products
- WordPress MStore API plugin version 2.0.6
- WordPress sites running the vulnerable MStore API REST endpoint
- Mobile commerce backends built on the MStore API plugin
Discovery Timeline
- 2026-05-10 - CVE-2021-47933 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47933
Vulnerability Analysis
The MStore API plugin exposes a REST API endpoint that accepts file uploads without enforcing authentication or authorization. The endpoint does not validate the identity of the requester, the file type, or the file extension before writing content to disk. As a result, an attacker can send a POST request containing a PHP payload and place it within a web-accessible directory.
Once the PHP file is uploaded, the attacker can request it through the web server to trigger code execution. Code execution runs in the context of the web server user, granting access to the WordPress installation, database credentials, and any data the web process can reach. The vulnerability is reachable over the network and requires no user interaction, which maximizes the population of exploitable hosts.
Root Cause
The root cause is missing authentication on a critical REST API function, mapped to [CWE-306]. The config_file endpoint handler accepts incoming file content from unauthenticated requests and writes it to disk using attacker-controlled file names. The plugin does not enforce a permission callback, does not restrict file extensions, and does not validate MIME types. This combination converts a single unauthenticated request into a reliable remote code execution primitive.
Attack Vector
Attackers send a POST request directly to the vulnerable REST API route on any WordPress site running MStore API 2.0.6. The request body includes a PHP file with an arbitrary file name and extension. The plugin writes the file to a public path, and the attacker then issues a GET request to invoke the payload. Public exploit material is referenced in Exploit-DB #50379 and the VulnCheck advisory.
Detection Methods for CVE-2021-47933
Indicators of Compromise
- Unexpected .php files appearing under WordPress upload or plugin directories, especially paths associated with the MStore API plugin.
- POST requests to MStore API REST routes containing the config_file parameter from unauthenticated clients.
- Outbound connections from the web server process (php-fpm, www-data, or apache) to unfamiliar external hosts following an upload event.
Detection Strategies
- Inspect web server access logs for POST requests targeting /wp-json/ routes belonging to the MStore API plugin with non-image payloads.
- Monitor the WordPress filesystem for newly created PHP files in upload directories and correlate creation timestamps with inbound HTTP requests.
- Hunt for web shell behavior, such as the web server process spawning shells (/bin/sh, bash) or system reconnaissance commands (whoami, id, uname).
Monitoring Recommendations
- Enable file integrity monitoring on wp-content/uploads/ and plugin directories to alert on new executable PHP files.
- Forward WordPress access and error logs to a centralized analytics platform for correlation with process telemetry.
- Alert on any request to the config_file endpoint and review the source IP, user agent, and payload size for anomalies.
How to Mitigate CVE-2021-47933
Immediate Actions Required
- Remove or deactivate the MStore API plugin version 2.0.6 until a patched release is installed.
- Audit the WordPress filesystem for unauthorized PHP files in upload paths and delete confirmed web shells.
- Rotate WordPress administrator credentials, database passwords, and any API keys stored in wp-config.php if compromise is suspected.
Patch Information
Upgrade the MStore API plugin to the latest version available from the WordPress plugin repository. Confirm the installed version after upgrade and validate that the vulnerable config_file endpoint now enforces authentication and rejects PHP file uploads. Review the VulnCheck advisory for the fixed version details.
Workarounds
- Block requests to MStore API REST routes at a web application firewall (WAF) until the plugin is updated.
- Disable PHP execution in wp-content/uploads/ using web server configuration to prevent uploaded files from running.
- Restrict access to /wp-json/ endpoints by source IP where the API is only used by known mobile backends.
# Apache: prevent PHP execution in WordPress uploads directory
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|phar)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
