CVE-2021-47977 Overview
CVE-2021-47977 is a directory traversal vulnerability [CWE-22] in the WordPress plugin Anti-Malware Security and Bruteforce Firewall version 4.20.59. The flaw resides in the duplicator_download action handler, which is exposed through admin-ajax.php. Unauthenticated attackers can manipulate the file parameter with path traversal sequences such as ../ to read arbitrary files outside the intended directory. The vulnerability allows disclosure of sensitive system files, including the WordPress wp-config.php file, which contains database credentials and authentication secrets.
Critical Impact
Unauthenticated remote attackers can read arbitrary files on the WordPress server, exposing credentials, configuration secrets, and operating system files.
Affected Products
- WordPress Plugin: Anti-Malware Security and Bruteforce Firewall (GOTMLS)
- Affected version: 4.20.59
- Deployment: WordPress sites with the GOTMLS plugin installed and activated
Discovery Timeline
- 2026-05-16 - CVE-2021-47977 published to the National Vulnerability Database (NVD)
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47977
Vulnerability Analysis
The vulnerability stems from insufficient input validation in the plugin's duplicator_download AJAX handler. When a request is sent to admin-ajax.php with action=duplicator_download, the handler accepts a file parameter that specifies the target file to return. The plugin fails to sanitize directory traversal sequences in this parameter before performing file read operations.
Attackers exploit this by submitting crafted values such as ../../../../wp-config.php or paths to /etc/passwd on Linux hosts. The server returns the requested file contents in the HTTP response. Because the endpoint does not require authentication, any remote actor with network access to the WordPress site can issue the request.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The file parameter is concatenated into a filesystem path without normalization or allowlist validation. Sequences such as ../ traverse outside the plugin's expected working directory and resolve to arbitrary locations on the host filesystem.
Attack Vector
Exploitation requires only network access. An attacker sends an HTTP GET or POST request to /wp-admin/admin-ajax.php with the action=duplicator_download parameter and a traversal payload in the file parameter. The server responds with the raw contents of the targeted file. A public proof-of-concept is documented at Exploit-DB #50107 and the VulnCheck WordPress Advisory.
No verified exploit code is reproduced here. Refer to the linked advisory for full technical details of the request structure and parameter handling.
Detection Methods for CVE-2021-47977
Indicators of Compromise
- HTTP requests to /wp-admin/admin-ajax.php containing action=duplicator_download from unauthenticated sources
- Request parameters containing directory traversal sequences such as ../, ..%2F, or encoded variants
- Web server access logs showing successful (HTTP 200) responses to duplicator_download requests referencing files outside the plugin directory
- Unexpected outbound reads of wp-config.php, /etc/passwd, or other system files in file access auditing
Detection Strategies
- Inspect WordPress access logs for the string duplicator_download combined with traversal patterns in query parameters
- Deploy web application firewall rules that block path traversal sequences in any parameter sent to admin-ajax.php
- Correlate requests to admin-ajax.php with response sizes that exceed typical AJAX payloads, which may indicate file exfiltration
Monitoring Recommendations
- Enable WordPress audit logging plugins to record AJAX action invocations and the requesting IP
- Forward web server logs to a centralized SIEM for retention and pattern analysis
- Alert on repeated requests to the same AJAX endpoint from a single IP over short intervals, which suggests automated scanning
How to Mitigate CVE-2021-47977
Immediate Actions Required
- Update the Anti-Malware Security and Bruteforce Firewall plugin to a version later than 4.20.59 by downloading the current release from GOTMLS Download Resources
- Audit web server access logs for prior exploitation attempts referencing duplicator_download
- Rotate WordPress database credentials, authentication keys, and salts in wp-config.php if exploitation is suspected
Patch Information
The vendor has released updated versions of the plugin that address the directory traversal flaw. WordPress administrators should upgrade through the WordPress admin dashboard or by retrieving the latest package from the GOTMLS Security Solution site. Verify the installed version after upgrading.
Workarounds
- Deactivate and remove the Anti-Malware Security and Bruteforce Firewall plugin until patching is possible
- Configure a web application firewall to block requests to admin-ajax.php containing action=duplicator_download or path traversal characters
- Restrict access to /wp-admin/ paths by source IP address where operationally feasible
# Example WAF rule (ModSecurity) to block traversal in duplicator_download
SecRule ARGS:action "@streq duplicator_download" \
"id:1004771,phase:2,deny,status:403,\
chain,msg:'CVE-2021-47977 GOTMLS traversal attempt'"
SecRule ARGS:file "@rx (\.\./|\.\.%2[fF])" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
