CVE-2021-47940

CRITICAL 9.8

WordPress Download From Files 1.48 Arbitrary File Upload

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files like PHP shells to the web root.

CWE	CWE-306
Vendor	download-from-files
Product	download from files
Published	May 10, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for download-from-files download from files

Be the first to know when new critical vulnerabilities affecting download-from-files download from files are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

download-from-files / Download From Files

0 ≤ 1.48

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50287 wordpress.org: https://wordpress.org/plugins/download-from-files/ vulncheck.com: https://www.vulncheck.com/advisories/wordpress-download-from-files-arbitrary-file-upload

Credits

spacehen