CVE-2021-47940

Name of the Vulnerable Software and Affected Versions Download From Files versions prior to 1.49

Description An arbitrary file upload flaw allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the 'admin-ajax.php' endpoint using the download from files 617 fileupload action. By manipulating the allowExt parameter, they can bypass file type restrictions to upload executable files, such as PHP shells, to the web root.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.