CVE-2021-47933

CRITICAL

WordPress MStore API 2.0.6 Arbitrary File Upload

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47933. PoCs published by spacehen.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in the WordPress MStore API plugin (version 2.0.6 or lower). It uploads a malicious file by exploiting an unauthenticated endpoint, allowing remote code execution if the uploaded file contains executable code.

Description

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.

Exploits (1)

exploitdb WORKING POC

by spacehen · pythonwebappsphp

https://www.exploit-db.com/exploits/50379

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in the WordPress MStore API plugin (version 2.0.6 or lower). It uploads a malicious file by exploiting an unauthenticated endpoint, allowing remote code execution if the uploaded file contains executable code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress MStore API plugin <= 2.0.6

No auth needed

Prerequisites: Target must have the vulnerable MStore API plugin installed and accessible · Attacker must provide a valid file path to upload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-50379

https://www.exploit-db.com/exploits/50379

Product product

Official Product Homepage

https://wordpress.org/plugins/mstore-api/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress MStore API 2.0.6 Arbitrary File Upload

https://www.vulncheck.com/advisories/wordpress-mstore-api-arbitrary-file-upload

Scores

CVSS v3 9.8

EPSS 0.0059

EPSS Percentile 43.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-306

Status published

Products (1)

mstore/MStore API 2.0.6

Published May 10, 2026

Tracked Since May 10, 2026