Critical severity9.8NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2021-47933

Description

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.

Affected products

WordPress/Mstore Apireferences
Package: https://wordpress.org/plugins/mstore-api

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wordpress.org/plugins/mstore-api/nvd
www.exploit-db.com/exploits/50379nvd
www.vulncheck.com/advisories/wordpress-mstore-api-arbitrary-file-uploadnvd

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)
Wordfence Blog · Apr 16, 2026

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000