CVE-2021-47943
Received Received - Intake
Authenticated Remote Code Execution in TextPattern CMS 4.8.7 via Malicious File Upload

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description
TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2021-47943
EUVD
EUVD-2021-34803
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
textpattern textpattern_cms 4.8.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47943 is a remote code execution vulnerability in TextPattern CMS 4.8.7 that allows authenticated attackers to upload malicious PHP files through the file upload functionality.

Attackers exploit this by uploading a PHP shell via the Files section in the content area. Once uploaded, they can execute arbitrary system commands by accessing the uploaded file at the path /textpattern/files/ and passing commands as GET parameters to the system function.

Impact Analysis

This vulnerability allows attackers to execute arbitrary commands on the affected server remotely, which can lead to full system compromise.

  • Attackers can gain unauthorized control over the server.
  • Sensitive data stored on the server may be accessed, modified, or deleted.
  • The server could be used as a launchpad for further attacks within the network.
  • Service disruption or defacement of the website hosted on the CMS.
Detection Guidance

This vulnerability can be detected by checking for the presence of malicious PHP files uploaded through the Files section in the content area of the TextPattern CMS. Specifically, look for PHP files in the /textpattern/files/ directory that may allow command execution via GET parameters.

A practical detection method is to attempt accessing suspicious PHP files with a command parameter to see if commands are executed. For example, you can try accessing a URL like:

  • /textpattern/files/yourphp.php?cmd=whoami

If the server returns the output of the command (e.g., the username running the web server), it indicates the presence of the vulnerability.

On the server, you can also scan for recently uploaded PHP files in the /textpattern/files/ directory using commands like:

  • find /path/to/textpattern/files/ -name "*.php" -mtime -7

This command lists PHP files uploaded or modified in the last 7 days, which might help identify malicious uploads.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the file upload functionality in the Files section of the TextPattern CMS to prevent attackers from uploading malicious PHP shells.

Additionally, remove any suspicious or unknown PHP files found in the /textpattern/files/ directory.

Implement strict validation on uploaded files to ensure only allowed file types are accepted, blocking PHP or other executable files.

If possible, update TextPattern CMS to a version where this vulnerability is patched.

As a temporary measure, restrict access to the /textpattern/files/ directory via web server configuration to prevent execution of uploaded PHP files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart