ZeroPath at Black Hat USA 2026

Quick Look: CVE-2021-47940 — Unauthenticated Arbitrary File Upload in WordPress Download From Files Plugin

A brief summary of CVE-2021-47940, a critical unauthenticated file upload vulnerability in the WordPress Download From Files plugin (version 1.48 and earlier), including technical details, detection methods, and mitigation guidance.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-10

Quick Look: CVE-2021-47940 — Unauthenticated Arbitrary File Upload in WordPress Download From Files Plugin
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An abandoned WordPress plugin with no prospect of a security patch still exposes sites to unauthenticated remote code execution through a trivially exploitable file upload flaw. CVE-2021-47940 affects the "Download From Files" plugin, versions 1.48 and earlier, and carries a CVSS score of 9.8.

The Download From Files plugin was a small WordPress extension designed to let site administrators offer file downloads to visitors. It had a limited footprint, with WPScan reporting roughly 100 active installations, and was maintained by an anonymous contributor listed as "Anonymous User 17720058." The plugin was permanently closed on the WordPress.org repository on September 15, 2021, due to a security issue, and has not been updated in over five years.

Technical Information

The core of this vulnerability is a missing authentication check on a WordPress AJAX action handler. The plugin registers an action called download_from_files_617_fileupload that processes file uploads via the standard WordPress AJAX endpoint at /wp-admin/admin-ajax.php. This action is accessible to unauthenticated users, meaning no WordPress session or nonce is required to invoke it. This is classified under CWE-306: Missing Authentication for Critical Function.

The more damaging design flaw is that the handler allows the caller to control which file extensions are accepted for upload. The allowExt parameter, submitted as part of the multipart form data, is trusted without server side validation. An attacker can set this parameter to any executable extension, such as php4 or phtml, effectively bypassing any intended file type restrictions.

Attack Flow

The exploitation sequence proceeds as follows:

  1. The attacker sends a GET request to /wp-admin/admin-ajax.php?action=download_from_files_617_fileupload to confirm the plugin is active. A response containing the Hungarian word "Sikeres" (meaning "Successful") confirms the endpoint is reachable.

  2. The attacker crafts a POST request to the same endpoint with multipart/form-data content type. The POST body includes:

    • allowExt set to an executable extension (e.g., php4 or phtml)
    • uploadDir set to . (resolving to the current directory, which is wp-admin/)
    • filesName set to files
    • A files[] field containing the malicious PHP payload (e.g., a web shell)
  3. The server processes the upload and writes the file to the wp-admin/ directory.

  4. The attacker accesses the uploaded shell directly at a predictable URL such as https://example.com/wp-admin/a.php4, achieving remote code execution on the server.

The entire chain requires no authentication, no privilege escalation, and no complex exploitation technique. It is a straightforward HTTP request that results in arbitrary code execution on the target server.

Detection Methods

Identifying Vulnerable Installations

The plugin slug is download-from-files, and its files reside under /wp-content/plugins/download-from-files/. Since the plugin has been removed from the WordPress.org repository and remains unpatched, any installation with this plugin present is considered vulnerable. The public exploit also provides a Google Dork (inurl:/wp-content/plugins/download-from-files) that can be used in external attack surface enumeration to find exposed instances.

Network Level Detection (HTTP Request Patterns)

The exploitation mechanism involves a POST request to the WordPress AJAX handler. Defenders should monitor web server access logs and WAF logs for requests matching the following pattern:

  • Target URI: /wp-admin/admin-ajax.php with the query parameter action=download_from_files_617_fileupload
  • HTTP Method: POST with a multipart/form-data content type (indicating file upload)
  • Suspicious POST body parameters: The allowExt field set to executable extensions such as php4, phtml, php, or similar; the uploadDir parameter set to . (current directory); and a files[] field carrying the uploaded payload

Any HTTP request containing download_from_files_617_fileupload as the AJAX action is a strong indicator of either exploitation or reconnaissance, since this action name is unique to the vulnerable plugin. WAF rules or proxy level inspection rules can be configured to flag or block requests where the action parameter matches this string.

Additionally, the public exploit performs a preliminary vulnerability check via a GET request to the same endpoint. The response contains the Hungarian word "Sikeres" when the plugin is active and the endpoint is reachable. Observing GET requests to this endpoint followed by POST requests with file uploads is a clear exploitation workflow pattern.

Host Level Detection (File System Monitoring)

Upon successful exploitation, the attacker's uploaded file (typically a PHP web shell with a .php4 or .phtml extension) is written to the WordPress /wp-admin/ directory. File integrity monitoring (FIM) solutions should be configured to alert on the creation of new files in the wp-admin/ directory, particularly those with executable PHP related extensions (.php, .php4, .phtml, .php5, .phar). Any PHP file in wp-admin/ that is not part of the standard WordPress core distribution should be treated as highly suspicious.

Log Based Indicators of Compromise

In your web server logs (Apache access.log, Nginx access.log), look for:

  • Entries with the URI path containing admin-ajax.php?action=download_from_files_617_fileupload, especially from unauthenticated sessions (no WordPress auth cookies present)
  • Subsequent requests to unexpected PHP files in the /wp-admin/ directory that do not correspond to known WordPress core files, which would indicate the attacker is accessing their uploaded shell

WordPress Security Scanners

Both WPScan (WVDB ID 8defc276-c5b0-447e-87d4-01c285051a6e) and Wordfence Intelligence track this vulnerability. Running WPScan against your WordPress sites or using the Wordfence plugin will flag the presence of the vulnerable download-from-files plugin. The Wordfence Intelligence API can also be queried programmatically to check for this specific plugin vulnerability.

No publicly available IDS/IPS signatures (Snort, Suricata), YARA rules, or Sigma rules specifically tailored for CVE-2021-47940 were identified at the time of writing. However, the distinctive AJAX action string download_from_files_617_fileupload is sufficiently unique that custom detection rules targeting this string in HTTP traffic would provide high fidelity alerting with minimal false positives.

Affected Systems and Versions

  • Plugin: Download From Files for WordPress
  • Affected Versions: Version 1.48 and all earlier versions
  • Platform: Any WordPress installation with the Download From Files plugin installed and active
  • Last Tested WordPress Version: 5.8.13
  • Plugin Status: Permanently closed on the WordPress.org repository as of September 15, 2021; no fix will be released

Vendor Security History

The Download From Files plugin was maintained by an anonymous contributor ("Anonymous User 17720058") with no public identity or track record. The plugin had not been updated in over five years prior to its closure and was only tested up to WordPress 5.8.13. The permanent closure of the plugin due to a security issue, combined with the anonymous maintainership and prolonged neglect, indicates a project with no meaningful security maintenance lifecycle. With only approximately 100 active installations reported by WPScan, the plugin had a minimal market footprint, but the severity of this vulnerability (CVSS 9.8, unauthenticated RCE) makes it a critical concern for any remaining installations.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization