CVE-2021-4354 in PWA for WP Plugin
Summary
by MITRE • 06/07/2023
The PWA for WP & AMP for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pwaforwp_splashscreen_uploader function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2021-4354 affects the PWA for WP & AMP for WordPress plugin, specifically targeting version 1.7.32 and earlier releases. This security flaw resides within the pwaforwp_splashscreen_uploader function which lacks proper validation mechanisms for file types being uploaded to the WordPress server. The issue represents a critical security gap that allows authenticated attackers to bypass normal upload restrictions and potentially execute malicious code on the affected systems.
The technical flaw manifests through insufficient input validation within the plugin's file upload functionality. When users attempt to upload files through the splash screen uploader, the system fails to properly verify the file extensions or MIME types against a whitelist of acceptable formats. This absence of validation creates an exploitable pathway where malicious actors can upload files with potentially dangerous extensions such as .php, .jsp, or other server-side script formats. The vulnerability directly maps to CWE-434 which describes "Unrestricted Upload of File with Dangerous Type" and aligns with ATT&CK technique T1505.003 for "Download and Execute" operations.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads, as it creates potential for remote code execution on the compromised WordPress installation. An authenticated attacker with appropriate privileges can leverage this flaw to upload malicious payloads that could then be executed by the web server, potentially leading to complete system compromise. The attack vector requires only authentication to the WordPress system, which significantly lowers the barrier for exploitation compared to unauthenticated attacks. This vulnerability affects not just the plugin itself but the entire WordPress ecosystem, as successful exploitation can provide attackers with persistent access to the server environment.
Mitigation strategies for CVE-2021-4354 should prioritize immediate plugin updates to version 1.7.33 or later, which contain the necessary patches to address the file validation issues. Organizations should also implement additional security measures including restrictive file upload policies, proper MIME type validation, and regular security audits of installed plugins. Network monitoring should be enhanced to detect unusual file upload activities, while server-side configurations should enforce strict file extension filtering and content validation. The vulnerability underscores the importance of maintaining up-to-date software components and implementing defense-in-depth strategies to protect against similar exploitation vectors that may target other WordPress plugins or core components.