CVE-2021-47933

Description

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.

References

• https://wordpress.org/plugins/mstore-api/
• https://www.exploit-db.com/exploits/50379
• https://www.vulncheck.com/advisories/wordpress-mstore-api-arbitrary-file-upload