WordPress MStore API unauth RCE (CVE-2021-47933)

Patch now - CVE-2021-47933 is a critical arbitrary file upload vulnerability in WordPress MStore API 2.0.6 that lets unauthenticated attackers upload PHP web shells and achieve remote code execution on the server. Patched in version 3.0.0 - update immediately.

Overview

CVE-2021-47933 affects the WordPress MStore API plugin version 2.0.6. The plugin enables mobile app integration with WooCommerce stores and exposes several REST API endpoints. The vulnerability exists in the config_file endpoint, which fails to validate file types properly.

An attacker can send a crafted POST request to this endpoint containing a PHP file with an arbitrary filename. The plugin processes the upload without checking the file extension or content, allowing the attacker to place a web shell on the server. Once the PHP file is uploaded, the attacker can access it directly via a web browser and execute arbitrary operating system commands.

The CVSS 9.8 score reflects the severity: the attack requires no authentication, no user interaction, and can be launched from the network with low complexity. This makes it trivially exploitable by anyone who can reach the WordPress site.

Impact

Successful exploitation gives the attacker complete control over the affected WordPress server. The attacker can:

• Execute arbitrary PHP code with the web server’s privileges
• Read, modify, or delete any files accessible to the web server user
• Install persistent backdoors for ongoing access
• Access the WordPress database, including user credentials and sensitive site data
• Use the compromised server as a pivot point to attack other systems on the network

Websites running WordPress with MStore API 2.0.6 are at immediate risk of takeover. Given the low complexity of exploitation, automated scanning and exploitation should be expected.

Remediation and Mitigation

Immediate actions:

1. Update the MStore API plugin to version 3.0.0 or later. The vendor released this patched version to fix the file upload validation.
2. If updating is not immediately possible, disable the MStore API plugin entirely until the update can be applied.
3. Scan the WordPress installation for suspicious PHP files, particularly in upload directories or plugin folders that were not part of the original installation.

Post-remediation checks:

• Review server access logs for POST requests to the config_file endpoint
• Check for unexpected file creation dates around the time of potential exposure
• Verify that no unauthorized administrative users exist in WordPress
• Change all WordPress admin passwords and application passwords

For ongoing protection, implement a Web Application Firewall (WAF) with rules to block file uploads to known sensitive endpoints. Regular plugin audits and keeping third-party extensions updated are essential security practices.

Security Insight

CVE-2021-47933 represents a category of vulnerability that continues to plague the WordPress ecosystem: plugins exposing REST API endpoints with insufficient input validation. The MStore API case is particularly dangerous because it combines unauthenticated access with file upload functionality - a recipe for trivial compromise. Plugin developers should treat any REST endpoint that accepts file uploads as a critical attack surface, enforcing strict validation on file type, size, and content. Site owners should inventory all plugins exposing API endpoints and prioritize patching those that handle file operations. Data breach reports are available at breach reports and cybersecurity news at security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs