The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-47940

CVE-2021-47940: WordPress Download Files Auth Bypass Issue

CVE-2021-47940 is an authentication bypass flaw in WordPress Download From Files plugin that enables unauthenticated file uploads. Attackers can upload malicious PHP files to gain server control. This article covers impact analysis, affected versions, and remediation guidance.

Published: May 18, 2026

CVE-2021-47940 Overview

CVE-2021-47940 is an arbitrary file upload vulnerability in the WordPress plugin Download From Files version 1.48 and earlier. The flaw allows unauthenticated attackers to upload arbitrary files, including PHP web shells, by abusing the plugin's AJAX upload handler. Attackers send crafted POST requests to admin-ajax.php targeting the download_from_files_617_fileupload action and manipulate the allowExt parameter to bypass file extension restrictions. Successful exploitation results in remote code execution on the affected WordPress server. The vulnerability is categorized under [CWE-306] Missing Authentication for Critical Function.

Critical Impact

Unauthenticated attackers can upload PHP shells to the web root and achieve remote code execution on affected WordPress installations.

Affected Products

  • WordPress Plugin Download From Files version 1.48
  • WordPress Plugin Download From Files versions prior to 1.48
  • WordPress installations with the Download From Files plugin enabled

Discovery Timeline

  • 2026-05-10 - CVE-2021-47940 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2021-47940

Vulnerability Analysis

The Download From Files plugin registers an AJAX action handler named download_from_files_617_fileupload that processes file uploads without authentication. The handler is exposed through the standard WordPress admin-ajax.php endpoint, which accepts unauthenticated POST requests by design when actions are registered with wp_ajax_nopriv_. This exposure allows any remote actor to invoke the upload routine.

The upload handler accepts a client-supplied allowExt parameter that defines the list of permitted file extensions. Because the server trusts this attacker-controlled value rather than enforcing a server-side allowlist, the file type restriction can be trivially bypassed. An attacker submits an extension such as php in allowExt and uploads a malicious script.

Uploaded files are written to a location reachable from the web root, enabling direct execution by requesting the resulting URL. The combination of missing authentication, client-controlled validation, and a web-accessible upload destination produces a reliable remote code execution primitive.

Root Cause

The root cause is missing authentication on a critical function combined with client-side trust of validation parameters. The AJAX action is registered for unauthenticated users, and the file extension allowlist is read from the request body instead of being hardcoded server-side.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker sends a multipart POST request to /wp-admin/admin-ajax.php with action=download_from_files_617_fileupload, allowExt=php, and a PHP payload as the uploaded file. The response typically includes the path to the stored shell, which the attacker then requests directly to execute arbitrary PHP code. Public exploit details are referenced in Exploit-DB #50287 and the VulnCheck Advisory for WordPress Plugin.

Detection Methods for CVE-2021-47940

Indicators of Compromise

  • POST requests to /wp-admin/admin-ajax.php containing the parameter action=download_from_files_617_fileupload from unauthenticated sources.
  • Presence of unexpected .php, .phtml, or .phar files within the plugin upload directory or web root.
  • Outbound network connections originating from the php or php-fpm worker process to attacker-controlled infrastructure following an upload event.
  • Web server access logs showing direct GET requests to recently created files inside the plugin's upload path.

Detection Strategies

  • Inspect web server logs for the download_from_files_617_fileupload action string combined with allowExt parameters containing executable extensions.
  • Hash and baseline files under the WordPress wp-content/uploads/ and plugin directories, alerting on new server-executable file types.
  • Deploy web application firewall rules that block AJAX requests carrying allowExt=php or similar executable extensions.

Monitoring Recommendations

  • Forward Apache, Nginx, and PHP-FPM logs to a centralized analytics platform for correlation of upload attempts and subsequent shell access.
  • Monitor file integrity on the WordPress installation directory and alert on newly created PHP files outside expected paths.
  • Track child processes spawned by the web server user, such as sh, bash, python, or curl, which often indicate post-exploitation activity following a successful upload.

How to Mitigate CVE-2021-47940

Immediate Actions Required

  • Deactivate and remove the Download From Files plugin from any WordPress site where it is installed, as no patched version is referenced in the advisory.
  • Audit the wp-content/uploads/ directory and plugin folders for unauthorized PHP files and remove any web shells discovered.
  • Rotate WordPress administrator credentials, secret keys in wp-config.php, and any database or API credentials that may have been exposed.
  • Review web server access logs for prior exploitation attempts referencing the vulnerable AJAX action.

Patch Information

No vendor patch is referenced in the available advisory data. The WordPress Plugin Download Resource page should be consulted for the current plugin status. Until a fixed release is confirmed, removing the plugin is the recommended remediation. Additional technical context is available in the VulnCheck Advisory for WordPress Plugin.

Workarounds

  • Block requests to admin-ajax.php containing action=download_from_files_617_fileupload at the web application firewall or reverse proxy.
  • Disable PHP execution within the wp-content/uploads/ directory using web server configuration to neutralize uploaded shells.
  • Restrict access to /wp-admin/admin-ajax.php to authenticated sessions where business requirements permit.
bash
# Nginx configuration to disable PHP execution in WordPress uploads directory
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
    return 403;
}

# WAF rule pattern to block the vulnerable AJAX action
# SecRule ARGS:action "@streq download_from_files_617_fileupload" \
#     "id:1004794,phase:2,deny,status:403,log,msg:'CVE-2021-47940 exploit attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechWordpress
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability0.15%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-306
  • Technical References
  • WordPress Plugin Download Resource
  • Exploit-DB #50287
  • VulnCheck Advisory for WordPress Plugin
  • Related CVEs
  • CVE-2026-6512: InfusedWoo Pro Authorization Bypass Flaw
  • CVE-2026-6145: WordPress User Registration Auth Bypass
  • CVE-2026-8181: Burst Statistics Auth Bypass Vulnerability
  • CVE-2026-7525: My Calendar WordPress Auth Bypass Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English