Executive Summary
A critical remote code execution vulnerability (CVE-2021-47933) has been identified in the MStore API plugin for WordPress, affecting version 2.0.6 and earlier. The flaw carries a CVSS score of 9.8 and permits unauthenticated attackers to upload arbitrary PHP files to the server via the plugin's REST API.
The vulnerable endpoint — config_file — accepts file uploads without authentication or file type validation. An attacker can upload a PHP webshell to the web server, then trigger its execution with a simple HTTP request, achieving full remote code execution under the web server process.
All WordPress installations running MStore API version 2.0.6 or earlier are at critical risk and should apply patches immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-47933 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-434 — Unrestricted Upload of File with Dangerous Type |
| Type | Arbitrary File Upload / Remote Code Execution |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Update to patched release of MStore API |
Affected Versions
| Plugin | Affected Versions | Fixed Version |
|---|---|---|
| MStore API | <= 2.0.6 | Update to patched release |
Technical Analysis
Root Cause
MStore API 2.0.6 exposes a REST API endpoint at /wp-json/...config_file that is designed to handle configuration file uploads for the WooCommerce mobile store builder. This endpoint lacks authentication requirements and file type validation, allowing any unauthenticated HTTP client to submit a POST request containing an arbitrary file.
The uploaded file is written to a web-accessible directory with the attacker-specified filename. Because there is no restriction against .php extensions, an attacker can upload a PHP webshell and subsequently request it directly to execute arbitrary server-side commands.
Attack Flow
1. Attacker identifies a WordPress site with MStore API <= 2.0.6 active
2. Attacker crafts a multipart POST request to the config_file REST endpoint:
POST /wp-json/mstore-api/v3/config_file (or equivalent endpoint path)
Content-Type: multipart/form-data
-- Payload: shell.php containing "<?php system($_GET['cmd']); ?>"
3. Server writes the PHP file to a web-accessible upload/config directory
4. Attacker identifies the uploaded file's URL (predictable path or directory listing)
5. Attacker requests the PHP file:
GET /wp-content/uploads/mstore/shell.php?cmd=id
6. Server executes the PHP code — RCE confirmed
7. Attacker escalates: reads wp-config.php for DB credentials, installs a persistent RAT,
or pivots to internal infrastructureExploitation Conditions
- MStore API version 2.0.6 or earlier must be installed and active
- The REST API must be accessible (default WordPress configuration)
- No authentication required
- File upload directory must be web-accessible (default behavior)
- No user interaction on the victim side
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full OS command execution as the web server user |
| WordPress Credential Theft | wp-config.php exposes database credentials, secret keys |
| Database Compromise | All WooCommerce customer and order data accessible |
| Persistent Backdoor | Webshell or RAT installed for ongoing access |
| Customer PII Exfiltration | Names, addresses, payment tokens, order history stolen |
| Server Pivoting | Lateral movement within hosting environments |
| Hosting Account Takeover | Compromise of other sites on shared hosting |
| Ransomware Deployment | Files accessible for encryption or exfiltration demands |
Immediate Remediation
Step 1: Update MStore API
Update the MStore API plugin to the latest version that addresses CVE-2021-47933.
# Via WP-CLI — check installed version
wp plugin get mstore-api --field=version
# Update to latest version
wp plugin update mstore-api
# If no patch available — deactivate and remove
wp plugin deactivate mstore-api
wp plugin delete mstore-apiStep 2: Block the Vulnerable REST Endpoint
If an immediate update is not possible, block access to the vulnerable endpoint:
# Nginx — block the config_file endpoint
location ~* /wp-json/mstore-api/.*/config_file {
deny all;
return 403;
}# Apache — block via RewriteRule
RewriteRule ^/wp-json/mstore-api/.*config_file.* - [F,L]Step 3: Prevent PHP Execution in Upload Directories
# Nginx — deny PHP in WooCommerce/MStore upload paths
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 404;
}# Apache .htaccess in wp-content/uploads/
<Files *.php>
Deny from all
</Files>Step 4: Audit for Uploaded Webshells
# Find PHP files in upload directories
find /path/to/wordpress/wp-content/uploads/ -name "*.php" -type f
# Grep for webshell patterns in suspicious files
grep -r "system\|exec\|passthru\|shell_exec\|base64_decode\|eval" \
/path/to/wordpress/wp-content/uploads/
# Check recently modified files (last 7 days)
find /path/to/wordpress/ -name "*.php" -newer /path/to/wordpress/wp-login.php \
-not -path "*/cache/*" -type f
# Review access logs for REST API upload requests
grep "POST.*config_file\|mstore-api" /var/log/nginx/access.log | tail -200Step 5: Rotate All WordPress Credentials
# Reset database password and update wp-config.php
# Generate new WordPress secret keys
wp config shuffle-salts
# Reset all admin passwords
wp user list --role=administrator --format=ids | \
xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"Detection Indicators
| Indicator | Description |
|---|---|
| PHP files in wp-content/uploads/ | Planted webshells or backdoors |
POST requests to /wp-json/mstore-api/...config_file | Active exploitation attempt |
| Unusual outbound connections from web process | Reverse shell or data exfiltration |
| Web server logs showing access to newly created PHP files | Webshell being triggered |
| Database queries with suspicious SELECT INTO OUTFILE | Post-exploitation data dumping |
| New admin accounts or modified user roles | Privilege escalation post-RCE |
Post-Remediation Checklist
- Update or remove MStore API immediately
- Scan upload directories for PHP webshells and remove any found
- Block PHP execution in all upload-accessible directories
- Rotate all credentials — WordPress DB password, API keys, SMTP, payment gateway tokens
- Regenerate WordPress secret keys to invalidate all sessions
- Audit admin accounts — remove any unauthorized administrator entries
- Review wp-config.php for unauthorized modifications
- Enable file integrity monitoring (Wordfence, iThemes Security)
- Deploy a WAF with REST API abuse protection rules
- Notify customers if evidence of WooCommerce data exfiltration is found