Introduction
An abandoned WordPress plugin with no prospect of a security patch still exposes sites to unauthenticated remote code execution through a trivially exploitable file upload flaw. CVE-2021-47940 affects the "Download From Files" plugin, versions 1.48 and earlier, and carries a CVSS score of 9.8.
The Download From Files plugin was a small WordPress extension designed to let site administrators offer file downloads to visitors. It had a limited footprint, with WPScan reporting roughly 100 active installations, and was maintained by an anonymous contributor listed as "Anonymous User 17720058." The plugin was permanently closed on the WordPress.org repository on September 15, 2021, due to a security issue, and has not been updated in over five years.
Technical Information
The core of this vulnerability is a missing authentication check on a WordPress AJAX action handler. The plugin registers an action called download_from_files_617_fileupload that processes file uploads via the standard WordPress AJAX endpoint at /wp-admin/admin-ajax.php. This action is accessible to unauthenticated users, meaning no WordPress session or nonce is required to invoke it. This is classified under CWE-306: Missing Authentication for Critical Function.
The more damaging design flaw is that the handler allows the caller to control which file extensions are accepted for upload. The allowExt parameter, submitted as part of the multipart form data, is trusted without server side validation. An attacker can set this parameter to any executable extension, such as php4 or phtml, effectively bypassing any intended file type restrictions.
Attack Flow
The exploitation sequence proceeds as follows:
-
The attacker sends a GET request to
/wp-admin/admin-ajax.php?action=download_from_files_617_fileuploadto confirm the plugin is active. A response containing the Hungarian word "Sikeres" (meaning "Successful") confirms the endpoint is reachable. -
The attacker crafts a POST request to the same endpoint with
multipart/form-datacontent type. The POST body includes:allowExtset to an executable extension (e.g.,php4orphtml)uploadDirset to.(resolving to the current directory, which iswp-admin/)filesNameset tofiles- A
files[]field containing the malicious PHP payload (e.g., a web shell)
-
The server processes the upload and writes the file to the
wp-admin/directory. -
The attacker accesses the uploaded shell directly at a predictable URL such as
https://example.com/wp-admin/a.php4, achieving remote code execution on the server.
The entire chain requires no authentication, no privilege escalation, and no complex exploitation technique. It is a straightforward HTTP request that results in arbitrary code execution on the target server.
Detection Methods
Identifying Vulnerable Installations
The plugin slug is download-from-files, and its files reside under /wp-content/plugins/download-from-files/. Since the plugin has been removed from the WordPress.org repository and remains unpatched, any installation with this plugin present is considered vulnerable. The public exploit also provides a Google Dork (inurl:/wp-content/plugins/download-from-files) that can be used in external attack surface enumeration to find exposed instances.
Network Level Detection (HTTP Request Patterns)
The exploitation mechanism involves a POST request to the WordPress AJAX handler. Defenders should monitor web server access logs and WAF logs for requests matching the following pattern:
- Target URI:
/wp-admin/admin-ajax.phpwith the query parameteraction=download_from_files_617_fileupload - HTTP Method: POST with a
multipart/form-datacontent type (indicating file upload) - Suspicious POST body parameters: The
allowExtfield set to executable extensions such asphp4,phtml,php, or similar; theuploadDirparameter set to.(current directory); and afiles[]field carrying the uploaded payload
Any HTTP request containing download_from_files_617_fileupload as the AJAX action is a strong indicator of either exploitation or reconnaissance, since this action name is unique to the vulnerable plugin. WAF rules or proxy level inspection rules can be configured to flag or block requests where the action parameter matches this string.
Additionally, the public exploit performs a preliminary vulnerability check via a GET request to the same endpoint. The response contains the Hungarian word "Sikeres" when the plugin is active and the endpoint is reachable. Observing GET requests to this endpoint followed by POST requests with file uploads is a clear exploitation workflow pattern.
Host Level Detection (File System Monitoring)
Upon successful exploitation, the attacker's uploaded file (typically a PHP web shell with a .php4 or .phtml extension) is written to the WordPress /wp-admin/ directory. File integrity monitoring (FIM) solutions should be configured to alert on the creation of new files in the wp-admin/ directory, particularly those with executable PHP related extensions (.php, .php4, .phtml, .php5, .phar). Any PHP file in wp-admin/ that is not part of the standard WordPress core distribution should be treated as highly suspicious.
Log Based Indicators of Compromise
In your web server logs (Apache access.log, Nginx access.log), look for:
- Entries with the URI path containing
admin-ajax.php?action=download_from_files_617_fileupload, especially from unauthenticated sessions (no WordPress auth cookies present) - Subsequent requests to unexpected PHP files in the
/wp-admin/directory that do not correspond to known WordPress core files, which would indicate the attacker is accessing their uploaded shell
WordPress Security Scanners
Both WPScan (WVDB ID 8defc276-c5b0-447e-87d4-01c285051a6e) and Wordfence Intelligence track this vulnerability. Running WPScan against your WordPress sites or using the Wordfence plugin will flag the presence of the vulnerable download-from-files plugin. The Wordfence Intelligence API can also be queried programmatically to check for this specific plugin vulnerability.
No publicly available IDS/IPS signatures (Snort, Suricata), YARA rules, or Sigma rules specifically tailored for CVE-2021-47940 were identified at the time of writing. However, the distinctive AJAX action string download_from_files_617_fileupload is sufficiently unique that custom detection rules targeting this string in HTTP traffic would provide high fidelity alerting with minimal false positives.
Affected Systems and Versions
- Plugin: Download From Files for WordPress
- Affected Versions: Version 1.48 and all earlier versions
- Platform: Any WordPress installation with the Download From Files plugin installed and active
- Last Tested WordPress Version: 5.8.13
- Plugin Status: Permanently closed on the WordPress.org repository as of September 15, 2021; no fix will be released
Vendor Security History
The Download From Files plugin was maintained by an anonymous contributor ("Anonymous User 17720058") with no public identity or track record. The plugin had not been updated in over five years prior to its closure and was only tested up to WordPress 5.8.13. The permanent closure of the plugin due to a security issue, combined with the anonymous maintainership and prolonged neglect, indicates a project with no meaningful security maintenance lifecycle. With only approximately 100 active installations reported by WPScan, the plugin had a minimal market footprint, but the severity of this vulnerability (CVSS 9.8, unauthenticated RCE) makes it a critical concern for any remaining installations.
References
- NVD: CVE-2021-47940
- WordPress.org Plugin Page: Download From Files
- ExploitDB: WordPress Plugin Download From Files 1.48 Arbitrary File Upload (EDB-50287)
- VulnCheck Advisory: WordPress Download From Files 1.48 Arbitrary File Upload
- WPScan Vulnerability Entry: Unauthenticated Arbitrary File Upload
- WPScan Plugin Page: Download From Files
- Wordfence Intelligence: Download From Files
- Archived WordPress.org Plugin Page (September 2021)



