CVE-2021-47977

The WordPress Plugin Anti-Malware Security and Bruteforce Firewall versions up to 4.20.72 contain a directory traversal vulnerability (CWE-22) in the duplicator_download action handled through admin-ajax.php [1][2]. The plugin fails to properly sanitize the file parameter, enabling unauthenticated attackers to supply path traversal sequences such as ..\ to read files outside the intended directory.

Attack

Vector No authentication is required; an attacker only needs network access to the WordPress instance. By sending a crafted POST/GET request to /wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\Windows\win.ini, the plugin retrieves the requested file's contents [4]. On Windows servers this can expose system files like win.ini, and on Linux servers critical files such as /etc/passwd can be accessed with ../ sequences [2].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server's filesystem, including WordPress configuration files (wp-config.php), database credentials, and sensitive system files. This can lead to further compromise, as disclosed credentials can be used to access databases or escalate privileges [2][4]. The CVSS v4.0 score is 8.1 (High), and the original CVSS v3.1 score is 7.5, reflecting the ease of exploitation and potential for high confidentiality impact.

Mitigation

The vulnerability affects plugin versions ≤4.20.72. The vendor released updates after 4.20.72 to patch the directory traversal flaw, but users must upgrade to a fixed version [1][2]. As of the publication date (May 2026), no workaround is documented; disabling the plugin may be a temporary measure if an upgrade is not possible. The exploit is publicly available via Exploit-DB, increasing the risk of widespread automated scanning [4].