CVE-2021-47979

HIGH

WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Deletion

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47979. PoCs published by Murat DEMİRCİ.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file deletion vulnerability in the WordPress Backup and Restore plugin (version 1.0.3) via a crafted POST request to admin-ajax.php. The attacker can delete critical files like wp-config.php by manipulating the file_name and folder_name parameters.

Description

WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.

Exploits (1)

exploitdb WORKING POC

by Murat DEMİRCİ · textwebappsphp

https://www.exploit-db.com/exploits/50503

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file deletion vulnerability in the WordPress Backup and Restore plugin (version 1.0.3) via a crafted POST request to admin-ajax.php. The attacker can delete critical files like wp-config.php by manipulating the file_name and folder_name parameters.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Backup and Restore for WP 1.0.3

Auth required

Prerequisites: Admin access to WordPress · Valid nonce value

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-50503

https://www.exploit-db.com/exploits/50503

Product product

Official Product Homepage

https://www.miniorange.com/

Product product

Product Reference

https://wordpress.org/plugins/backup-and-restore-for-wp/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Deletion

https://www.vulncheck.com/advisories/wordpress-plugin-backup-and-restore-arbitrary-file-deletion

Scores

CVSS v3 8.8

EPSS 0.0040

EPSS Percentile 31.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

Miniorange/Backup and Restore 1.0.3

Published May 16, 2026

Tracked Since May 16, 2026