Description
WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files like PHP shells to the web root.
Published: 2026-05-10
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Download From Files plugin enables unauthenticated attackers to upload arbitrary files through the AJAX fileupload action. By POSTing to admin-ajax.php with action download_from_files_617_fileupload and manipulating allowExt, an attacker can trick the plugin into accepting executable files like PHP shells. This allows execution of code on the server, compromising confidentiality, integrity, and availability.

Affected Systems

WordPress sites running the Download From Files plugin version 1.48 or older are impacted. The plugin is distributed through the WordPress plugin repository and is widely used. Users of older iterations lack the upload restrictions added in later releases. No specific WordPress version is required; the flaw resides solely in the plugin.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. The EPSS score is not available, but the lack of listed KEV suggests it has yet to be widely exploited in the wild. The attack vector is remote, relying on unauthenticated HTTP POST requests to the site’s admin-ajax.php endpoint. If the plugin remains installed and enabled, an attacker can upload a PHP shell without authentication, leading to full remote code execution.

Generated by OpenCVE AI on May 10, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Download From Files plugin to the latest release to remove the vulnerable upload capability.
  • If immediate upgrade is not possible, disable or uninstall the plugin to eliminate the attack surface.
  • Restrict file uploads by configuring the plugin or WordPress to allow only safe file types and block executable files such as .php in the uploads directory.

Generated by OpenCVE AI on May 10, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files like PHP shells to the web root.
Title WordPress Download From Files 1.48 Arbitrary File Upload
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:58.089Z

Reserved: 2026-02-01T11:24:18.718Z

Link: CVE-2021-47940

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:30.363

Modified: 2026-05-10T13:16:30.363

Link: CVE-2021-47940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:00:11Z

Weaknesses