Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2021-47940: WordPress Download From Files Plugin Uploads Malicious Files
CVE-2021-47940
Summary
The WordPress Download From Files plugin, versions 1.48 and earlier, allows attackers to upload malicious files without a password. This means that unauthorized users can upload files that could harm your website. To stay safe, update the plugin to the latest version as soon as possible.
Original title
WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX ...
Original description
WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files like PHP shells to the web root.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 10 May 2026 · Updated: 28 May 2026 · First seen: 10 May 2026