Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2021-47940 -- CVSS 9.8 Vulnerability Briefing

CVE-2021-47940 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2021-47940 is an arbitrary file upload vulnerability in the WordPress plugin "Download From Files" version 1.48 and earlier, exploitable by unauthenticated remote attackers via the plugin's AJAX functionality.

Technical Detail

The flaw exists in the plugin's AJAX file handling mechanism, which fails to enforce authentication checks or adequate file type validation before accepting uploaded content. An unauthenticated attacker can craft a malicious AJAX request to upload arbitrary files, including web shells or other executable payloads, to the target WordPress server. Successful exploitation results in remote code execution under the web server's process context, granting the attacker full control over the affected host.

Exploitation Status

No known public exploit code has been confirmed for this vulnerability at this time, and it does not appear on CISA's Known Exploited Vulnerabilities catalog. Despite the absence of documented exploitation, the unauthenticated attack vector and critical CVSS score of 9.8 represent a high-risk exposure profile for any unpatched installation.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence sources.

What To Do

Administrators running the "Download From Files" WordPress plugin should update to a version beyond 1.48 immediately, or deactivate and remove the plugin if no patched version is available or the plugin is not actively needed. Given the unauthenticated nature of the attack vector, exposure should be treated as critical regardless of current exploitation status. Detection efforts should focus on monitoring web server logs for anomalous AJAX POST requests to the plugin's endpoint, unexpected file creation in WordPress upload directories, and the presence of web shell indicators such as PHP files in non-standard locations. Web application firewall rules restricting unauthenticated file upload requests to WordPress AJAX endpoints can serve as a compensating control pending patching.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →