ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2021-47977 Directory Traversal in WordPress Anti-Malware Security and Bruteforce Firewall Plugin

A short review of CVE-2021-47977, a high severity unauthenticated directory traversal vulnerability in the WordPress Anti-Malware Security and Bruteforce Firewall plugin that allows arbitrary file reads on affected systems.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-16

Brief Summary: CVE-2021-47977 Directory Traversal in WordPress Anti-Malware Security and Bruteforce Firewall Plugin
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated directory traversal flaw in a WordPress security plugin with over 100,000 active installations has been quietly exposing host filesystems to remote attackers since at least mid 2021. CVE-2021-47977 affects the Anti-Malware Security and Bruteforce Firewall plugin, a tool developed under the GOTMLS brand that helps WordPress administrators detect and clean malware infections on their sites.

The plugin has a significant footprint: over 100,000 active installations on the WordPress plugin repository and more than 407,173 registered users on the GOTMLS network. For organizations relying on this plugin as part of their WordPress security posture, the irony is notable: the security tool itself introduced a high severity file read vulnerability.

Technical Information

CVE-2021-47977 is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The CVSS score reported by VulnCheck is 8.7 High.

Root Cause

The vulnerability exists in how the plugin handles the duplicator_download AJAX action. WordPress plugins can register actions through the admin-ajax.php endpoint, and some of these actions are accessible without authentication (using the wp_ajax_nopriv_ hook). The Anti-Malware Security and Bruteforce Firewall plugin exposes the duplicator_download action to unauthenticated users and fails to properly sanitize the file parameter before using it to read files from the filesystem.

Specifically, the plugin does not strip or reject path traversal sequences (../ or ..\) from the file parameter value. This allows an attacker to escape the intended directory and traverse the filesystem to read arbitrary files that the web server process has permission to access.

Attack Flow

The exploitation of this vulnerability follows a straightforward sequence:

  1. The attacker identifies a WordPress installation running a vulnerable version of the Anti-Malware Security and Bruteforce Firewall plugin (versions up to and including 4.20.72).
  2. The attacker crafts an HTTP GET request to the target's wp-admin/admin-ajax.php endpoint.
  3. The request includes action=duplicator_download and a file parameter containing path traversal sequences pointing to a sensitive file on the host system.
  4. Because the action does not require authentication, the WordPress AJAX handler processes the request and the plugin reads the specified file from disk.
  5. The contents of the targeted file are returned in the HTTP response.

On a typical WordPress deployment, the most valuable target would be wp-config.php, which contains database credentials, authentication keys, salts, and the database table prefix. On Windows hosts, files like win.ini or other system configuration files could be targeted. On Linux hosts, /etc/passwd or application configuration files are common targets.

The entire attack requires only a single HTTP request and no prior authentication, making it trivially automatable.

Affected Systems and Versions

The vulnerability affects the Anti-Malware Security and Bruteforce Firewall WordPress plugin in versions up to and including 4.20.72. The WordPress plugin repository currently lists version 4.23.88 as the latest available release. Any WordPress installation running a version at or below 4.20.72 of this plugin should be considered vulnerable.

Vendor Security History

The Anti-Malware Security and Bruteforce Firewall plugin has experienced multiple security issues over its lifecycle:

  • Versions prior to 4.15.44 were vulnerable to Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF), as documented by WPScan.
  • Versions below 4.20.94 contained a Reflected Cross Site Scripting vulnerability caused by unsanitized POST data, also tracked by WPScan.

This pattern suggests that input validation has been a recurring challenge for the plugin's development team.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization