Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2021-47933 -- CVSS 9.8 Vulnerability Briefing

CVE-2021-47933 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2021-47933 is an unauthenticated arbitrary file upload vulnerability in the WordPress MStore API plugin version 2.0.6, affecting the plugin's REST API endpoint.

Technical Detail

The flaw exists in the MStore API plugin's handling of POST requests to its REST API endpoint, which fails to enforce authentication or adequate file type validation before accepting uploaded content. An unauthenticated remote attacker can exploit this by sending a crafted POST request containing a malicious file, such as a PHP webshell, directly to the exposed endpoint. Successful exploitation results in remote code execution (RCE) on the underlying web server, as the attacker can subsequently request the uploaded file to execute arbitrary commands in the server context.

Exploitation Status

No known exploit code has been publicly documented for this vulnerability at this time, and it does not appear on CISA's Known Exploited Vulnerabilities catalog. Despite the absence of confirmed public exploitation, the unauthenticated nature of the attack vector and the critical CVSS score of 9.8 indicate a low barrier to exploitation should a functional exploit be developed.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence sources.

What To Do

Administrators running MStore API version 2.0.6 or earlier should update to a patched version of the plugin immediately, prioritizing any internet-facing WordPress installations. If an immediate update is not possible, consider disabling the plugin or restricting access to the REST API endpoint via web application firewall rules or server-level controls that block unauthenticated POST requests to the affected route. Detection efforts should focus on web server logs for anomalous POST requests to MStore API endpoints, unexpected PHP files appearing in upload directories, and outbound connections originating from the web server process. Given the critical severity and unauthenticated attack surface, this should be treated as a high-priority remediation item regardless of the current absence of known active exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →