Introduction
An unauthenticated file upload vulnerability in the WordPress plugin WP Super Edit has been sitting in the open with a public exploit for over five years, and there is still no patch. CVE-2021-47965, scored at 9.8 on the CVSS 3.1 scale, allows any remote attacker to upload arbitrary files through the plugin's bundled FCKeditor component and achieve remote code execution on the underlying server.
WP Super Edit is a WordPress plugin that extends the platform's built in text editor with additional formatting and editing capabilities. According to the WordPress plugin directory, it has over 2,000 active installations. The plugin bundles FCKeditor, an older rich text editor that includes its own filemanager module, which is the source of this vulnerability.
Technical Information
The vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. It exists within the FCKeditor component that WP Super Edit bundles under its plugin directory. FCKeditor's filemanager module exposes several upload and file browsing endpoints directly on the web, and the WP Super Edit integration does not add any authentication checks, file type validation, or content inspection to these endpoints.
Root Cause
The application fails to validate the metadata and content of uploaded files. There is no allow list for permitted file extensions, no server side content type verification, and critically, no authentication requirement protecting the upload functionality. Any anonymous visitor who can reach the endpoint can upload any file type.
Vulnerable Endpoints
The following paths within the plugin directory are directly accessible and facilitate file upload or browsing:
/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html
/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/connectors/test.html
/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/test.html
/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/frmupload.html
Attack Flow
The exploitation sequence is straightforward:
- The attacker identifies a WordPress installation running WP Super Edit by probing for the known plugin directory structure.
- The attacker navigates to one of the exposed filemanager endpoints, such as the upload form (
frmupload.html) or the upload test page (upload/test.html). - Through the upload interface, the attacker submits a file with a dangerous type, for example a PHP web shell. Because no validation is performed on the file extension or content, the server accepts and writes the file.
- The attacker then requests the uploaded file directly via its URL on the web server.
- The web server executes the uploaded script, granting the attacker remote code execution with the privileges of the web server process.
The CVSS 3.1 vector reflects this: no privileges are required, no user interaction is needed, and successful exploitation results in complete compromise of confidentiality, integrity, and availability.
Affected Systems and Versions
The vulnerability affects WP Super Edit version 2.5.4 and all earlier versions. Version 2.5.4 is the latest release available on the WordPress plugin directory. The plugin has not been updated in over six years and has not been tested with the latest three major releases of WordPress.
Any WordPress installation with WP Super Edit installed and the plugin files present on disk is potentially vulnerable, even if the plugin is deactivated, as the FCKeditor filemanager endpoints are static HTML and connector files that may remain accessible regardless of plugin activation state.
Vendor Security History
WP Super Edit, authored by Ahmad Awais, shows clear signs of abandonment. The plugin has not received an update in over six years. A separate Cross Site Scripting (XSS) vulnerability was reported against the same version (2.5.4) in 2025, and no official patch was released for that issue either. This consistent lack of response to reported vulnerabilities confirms that users should not expect a vendor supplied fix for CVE-2021-47965. The plugin's WordPress directory listing also notes that it has not been tested with the latest three major releases of WordPress, further underscoring its unmaintained status.
References
- NVD Entry for CVE-2021-47965
- CVE Record: CVE-2021-47965
- VulnCheck Advisory: WordPress Plugin WP Super Edit 2.5.4 Unrestricted File Upload
- ExploitDB: WordPress Plugin WP Super Edit 2.5.4 Remote File Upload (ID 49839)
- WordPress Plugin Directory: WP Super Edit
- Patchstack: Cross Site Scripting (XSS) in WordPress WP Super Edit Plugin
- OWASP: Unrestricted File Upload
- CWE-434: Unrestricted Upload of File with Dangerous Type



