CVE-2021-47979

HIGH CVSS 8.8 View on NVD ↗

Description

WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://wordpress.org/plugins/backup-and-restore-for-wp/
https://www.exploit-db.com/exploits/50503
https://www.miniorange.com/
https://www.vulncheck.com/advisories/wordpress-plugin-backup-and-restore-arbitrary-file-deletion

Published: May 16, 2026 16:16 UTC Modified: May 16, 2026 16:16 UTC