Any stranger on the internet could walk into your online store's back room, plant whatever they want, and run it — without ever needing a key.
Who's at Risk — and How Bad Is It?
If your WordPress site runs the MStore API plugin at version 2.0.6 or earlier, your entire server may be exposed to a complete takeover. MStore API is a widely used plugin that powers mobile app storefronts built on WooCommerce, with tens of thousands of active installations across e-commerce sites, small businesses, and digital marketplaces worldwide. The vulnerability carries a CVSS score of 9.8 out of 10 — as close to "worst possible" as a security flaw gets.
The real-world impact isn't abstract. We're talking about customer payment data, personal addresses, order histories, and admin credentials — all potentially in an attacker's hands. Beyond theft, a compromised server can be conscripted into sending spam, hosting phishing pages, or attacking other websites entirely, meaning your business could become an unwitting weapon pointed at someone else's customers.
What an Attacker Actually Does
Imagine your website is a building. The MStore API plugin installs a side door — a special entrance designed for mobile apps to communicate with your store. Under normal circumstances, only your own app uses that door, and only after proving its identity. This vulnerability means the lock on that side door is completely broken. Anyone who knows it exists can walk straight in, no credentials required.
Once inside, the attacker doesn't just browse around. They carry a backpack full of tools — specifically, a malicious script disguised as a harmless file. They drop it into a specific room called the config_file endpoint, give it any name they like, and the server obediently runs it. From that moment on, the attacker has the same level of control over your server as you do — arguably more, because they're operating in the shadows. They can read every file, modify your store, create hidden admin accounts, or quietly siphon off customer data for weeks without triggering any alarm.
What makes this particularly dangerous is the word unauthenticated. Most serious attacks require some prior foothold — a stolen password, a phished employee, an insider. This one requires nothing. A script can automatically scan the internet for vulnerable sites and compromise dozens of them in minutes, with no human attacker even watching.
The Technical Detail Security Teams Need
The vulnerability is an unauthenticated arbitrary file upload via the REST API /wp-json/ route targeting the config_file endpoint. The plugin fails to enforce any authentication check or file-type validation before writing attacker-supplied content to disk. Because WordPress servers typically execute .php files placed within the web root, uploading a PHP webshell to this endpoint results in immediate remote code execution (RCE) with web server privileges. This falls into the CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability class — a well-understood but devastatingly effective attack primitive when authentication gates are absent entirely.
Discovered, Exploited — What We Know
CVE-2021-47933 was formally catalogued as a critical severity vulnerability affecting MStore API version 2.0.6. As of the time of writing, no confirmed active exploitation campaigns have been publicly attributed to this specific CVE — but that should offer only cold comfort. Vulnerabilities of this class and severity score have historically seen weaponized proof-of-concept code appear within days of public disclosure, and automated scanning tools used by opportunistic attackers routinely sweep the entire public internet for known plugin vulnerabilities on WordPress installations. The window between "no known exploitation" and "actively being mass-exploited" can be measured in hours, not weeks.
The WordPress ecosystem has seen this playbook before. Similar unauthenticated file upload flaws in plugins like Fancy Product Designer and File Manager led to widespread, automated attacks affecting hundreds of thousands of sites within 48 hours of disclosure. There is no credible reason to believe this vulnerability will follow a different trajectory.
What You Need to Do Right Now
-
Update MStore API immediately to the latest patched version.
Log into your WordPress dashboard, navigate to Plugins → Installed Plugins, and update MStore API to any version released after 2.0.6. If an update is not yet available through your dashboard, visit the official WordPress plugin repository or the developer's site directly. If you cannot update immediately, deactivate the plugin entirely until you can — a temporarily broken mobile storefront is far preferable to a compromised server. -
Audit your server for signs of compromise.
Check your web server's upload directories and the WordPresswp-content/folder tree for any unfamiliar.phpfiles, especially recently modified ones. Tools like Wordfence or Sucuri SiteCheck can scan for known webshells and unauthorized file changes. Review your server access logs for unexpected POST requests to/wp-json/endpoints — a pattern of requests toconfig_fileroutes from unfamiliar IP addresses is a red flag. -
Harden your WordPress REST API and file permissions going forward.
Configure your web server (Apache or Nginx) to block execution of PHP files in upload directories — a simple rule that would neutralize this entire class of attack even if a file were successfully uploaded. Additionally, consider using a web application firewall (WAF) such as Cloudflare or the Wordfence firewall to rate-limit and inspect REST API traffic. Routinely auditing installed plugins and removing any that are unused or unmaintained is one of the highest-return security habits a WordPress site owner can build.
CVE-2021-47933 | CVSS 9.8 Critical | Affects: MStore API ≤ 2.0.6 | Category: Unauthenticated Remote Code Execution