CVE-2021-47979: WordPress Backup Plugin File Deletion Flaw

CVE-2021-47979 Overview

CVE-2021-47979 is an arbitrary file deletion vulnerability in the WordPress Backup and Restore plugin version 1.0.3. Authenticated attackers can delete arbitrary files on the WordPress server by sending crafted AJAX requests to admin-ajax.php. The vulnerability stems from improper validation of the file_name and folder_name parameters, allowing path traversal sequences to escape the intended backup directory. Successful exploitation can lead to deletion of critical WordPress files such as wp-config.php, which forces the site into the setup state and can enable site takeover.

Critical Impact

Authenticated attackers can delete arbitrary files including wp-config.php, enabling full site takeover via the WordPress reinstallation flow.

Affected Products

• WordPress Plugin Backup and Restore version 1.0.3
• WordPress installations with the Backup and Restore for WP plugin enabled
• Sites running the vulnerable plugin maintained by MiniOrange Security Solutions

Discovery Timeline

• 2026-05-16 - CVE-2021-47979 published to the National Vulnerability Database (NVD)
• 2026-05-18 - Last updated in NVD database

Technical Details for CVE-2021-47979

Vulnerability Analysis

The flaw is a path traversal weakness classified under [CWE-22]. The Backup and Restore plugin exposes AJAX actions through wp-admin/admin-ajax.php that accept user-controlled file and folder names. The handler concatenates these parameters into a filesystem path and invokes a delete operation without canonicalizing the resulting path or restricting it to the plugin's backup directory.

Because the plugin only verifies that the requester is authenticated and does not enforce strong capability checks on the deletion endpoint, low-privilege authenticated users can reach the vulnerable code path. The attacker supplies ../ sequences in the parameters to traverse out of the backup directory and target arbitrary files within the WordPress installation tree. According to the Exploit-DB entry #50503, the exploitation technique uses POST requests with path traversal payloads in the JSON body.

Root Cause

The root cause is missing input sanitization on the file_name and folder_name parameters passed to the AJAX file deletion handler. The plugin does not normalize the path, reject traversal sequences, or restrict deletion to files inside an allowlisted directory. Authorization checks rely only on session authentication rather than role-based capability verification.

Attack Vector

The attacker authenticates to WordPress with any valid account and submits a POST request to admin-ajax.php invoking the plugin's deletion action. The body contains file_name and folder_name values constructed with ../ sequences pointing at the WordPress root, for example targeting wp-config.php. The server executes the delete operation, removing the file. With wp-config.php removed, the next page request triggers the WordPress installation wizard, allowing the attacker to reconfigure the database and take over the site. Refer to the VulnCheck Advisory for the WordPress Plugin Backup and Restore arbitrary file deletion issue and Exploit-DB entry #50503 for technical details.

Detection Methods for CVE-2021-47979

Indicators of Compromise

• POST requests to /wp-admin/admin-ajax.php containing file_name or folder_name parameters with ../ traversal sequences
• Unexpected absence or recent deletion of wp-config.php, .htaccess, or core WordPress PHP files
• WordPress installation wizard (wp-admin/install.php) appearing on a previously configured site
• Web server log entries showing authenticated requests to the Backup and Restore plugin's AJAX actions from low-privilege user sessions

Detection Strategies

• Inspect HTTP request bodies sent to admin-ajax.php for path traversal patterns in JSON parameters
• Monitor file integrity on the WordPress document root to flag deletion of core configuration files
• Correlate authenticated subscriber-level sessions with administrative AJAX actions that should require higher privileges

Monitoring Recommendations

• Enable WordPress audit logging to capture plugin AJAX actions per user role
• Forward web server access logs to a centralized analytics platform and alert on admin-ajax.php traffic containing ..%2F or ../ substrings
• Run periodic checksum validation against WordPress core and plugin files to identify unauthorized deletions

How to Mitigate CVE-2021-47979

Immediate Actions Required

• Deactivate and remove the Backup and Restore plugin version 1.0.3 from all WordPress installations until a patched release is verified
• Audit existing user accounts and revoke unnecessary low-privilege accounts that could be leveraged by an authenticated attacker
• Restore a known-good backup of wp-config.php and core files if deletions are detected

Patch Information

Review the official Backup and Restore plugin page on WordPress.org and the MiniOrange Security Solutions site for an updated release that addresses the file deletion flaw. Apply the patched version on all affected sites and confirm the AJAX deletion handler now enforces capability checks and path normalization.

Workarounds

• Block POST requests to /wp-admin/admin-ajax.php that contain ../ or URL-encoded traversal sequences at the web application firewall (WAF) layer
• Restrict access to /wp-admin/ to known administrator IP ranges where feasible
• Move wp-config.php one directory above the WordPress root, which WordPress supports natively, to reduce the impact of arbitrary file deletion in the document root

# Example WAF rule (ModSecurity) to block path traversal in admin-ajax.php requests
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
    "chain,phase:2,deny,status:403,id:1004799,msg:'Blocked path traversal in WordPress AJAX request'"
    SecRule REQUEST_BODY "@rx (\.\./|\.\.%2[fF])" "t:none"