WP Super Edit file upload bug puts old WordPress sites at risk

CVE-2021-47965 affects WP Super Edit 2.5.4 and earlier, where an unrestricted upload path in FCKeditor may allow remote code execution.

2026-05-17 GIGATAP Team #security
#WordPress#CVE#rce

What is known#

NVD has listed CVE-2021-47965 as a critical vulnerability affecting WP Super Edit, a WordPress plugin, in versions 2.5.4 and earlier. The issue is described as an unrestricted file upload vulnerability in the plugin’s FCKeditor component.

The reported weakness is direct. The affected component allows attackers to upload dangerous file types without validation through a filemanager upload endpoint. NVD’s description says this can let an attacker upload arbitrary files and achieve remote code execution, with potential complete system compromise.

The CVSS score is 9.8. That rating reflects the usual shape of this class of bug: remote attack path, low barrier to abuse, and high impact if an exposed instance is reachable and configured in the vulnerable state.

The source material does not provide exploit telemetry, affected site counts, patch metadata beyond the affected version range, or evidence of active exploitation. Those gaps matter. A critical CVE is not the same as confirmed mass exploitation. But unrestricted upload into a web-accessible path is one of the older, simpler ways WordPress environments get turned from “plugin bug” into server compromise.

Why this matters#

This is not just a WordPress admin inconvenience. File upload validation failures can cross the line from application bug to host-level incident.

If an attacker can upload a script or other executable payload through a plugin endpoint, the next step may be remote code execution under the web server’s privileges. From there, the impact depends on the hosting setup: file permissions, PHP execution rules, isolation between sites, database credentials, and whether the same server hosts other applications.

That is why old editor and file-manager components are so often high-risk. They sit close to content workflows. They were built to accept files. If validation and access control are weak, they become a convenient write primitive for an attacker.

The named component here, FCKeditor, is also a reminder of a common WordPress risk pattern: legacy bundled components often survive long after their original security assumptions stop being safe. A site owner may not think of an editor plugin as part of the attack surface. Attackers do.

For ordinary site operators, the question is simple: is WP Super Edit installed, and if yes, is it at or below version 2.5.4? If the answer is yes, the safe assumption is that the site needs attention now.

What not to overclaim#

The available source text supports a serious finding, but it does not support every possible conclusion.

It does not say that every WordPress site is affected. It does not say that current WordPress core is vulnerable. It does not state that exploitation is happening in the wild. It does not provide a proof-of-concept, attacker IPs, malware families, or campaign details.

It also does not specify whether successful exploitation requires authentication, a particular plugin configuration, or a specific server-side execution setup. The CVSS score suggests a severe remote risk, but defenders should still verify their own exposure rather than assume all environments behave identically.

That said, unrestricted upload bugs deserve conservative handling. The absence of exploitation data is not a reason to leave an old vulnerable plugin exposed. WordPress compromise often begins with exactly this kind of forgotten component.

What site owners should check#

Start with inventory. Confirm whether WP Super Edit is installed anywhere, including staging sites, old multisite environments, abandoned client installs, and backups restored to public URLs. Old WordPress instances are often the real exposure, not the main production site everyone remembers.

Then check the plugin version. NVD names WP Super Edit 2.5.4 and earlier as affected. If that version range is present, remove or disable the plugin unless there is a known fixed version and a clear operational reason to keep it. Do not leave a vulnerable upload component enabled because “nobody uses that feature.” Attackers do not need the feature to be part of your editorial workflow.

Review the server for signs of prior abuse. Look for recently created PHP files or unusual uploads in plugin, media, temporary, and editor-related directories. Check web server logs for requests to filemanager upload endpoints. If the site runs multiple WordPress installs under the same account, inspect them together; compromise rarely respects the mental boundary between “main site” and “old test copy.”

Useful checks include:

  • Search installed plugins for WP Super Edit and bundled FCKeditor files.
  • Identify any version at or below 2.5.4.
  • Disable and remove the plugin if it is not strictly required.
  • Inspect upload-capable directories for unexpected executable files.
  • Review access logs around editor/filemanager endpoints.
  • Tighten PHP execution rules in upload directories where possible.
  • Rotate credentials if there are signs that arbitrary code may have run.

For managed hosting users, this is a good case to open a ticket with the host and ask whether they can scan for the plugin and block PHP execution in upload paths. For self-managed servers, the priority is containment: remove the vulnerable component, check for persistence, and verify that the WordPress filesystem is not writable more broadly than necessary.

Practical takeaway#

CVE-2021-47965 is a legacy WordPress plugin problem with a modern impact profile. The vulnerable object is old. The exploitation path, if reachable, is still dangerous.

Treat this as an exposure audit item. Find WP Super Edit. Check the version. Remove it if it is obsolete. Then look for evidence that the upload surface was used before you found it.