CVE-2021-47943
Authenticated Remote Code Execution in TextPattern CMS 4.8.7 via Malicious File Upload
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| textpattern | textpattern_cms | 4.8.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47943 is a remote code execution vulnerability in TextPattern CMS 4.8.7 that allows authenticated attackers to upload malicious PHP files through the file upload functionality.
Attackers exploit this by uploading a PHP shell via the Files section in the content area. Once uploaded, they can execute arbitrary system commands by accessing the uploaded file at the path /textpattern/files/ and passing commands as GET parameters to the system function.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary commands on the affected server remotely, which can lead to full system compromise.
- Attackers can gain unauthorized control over the server.
- Sensitive data stored on the server may be accessed, modified, or deleted.
- The server could be used as a launchpad for further attacks within the network.
- Service disruption or defacement of the website hosted on the CMS.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious PHP files uploaded through the Files section in the content area of the TextPattern CMS. Specifically, look for PHP files in the /textpattern/files/ directory that may allow command execution via GET parameters.
A practical detection method is to attempt accessing suspicious PHP files with a command parameter to see if commands are executed. For example, you can try accessing a URL like:
- /textpattern/files/yourphp.php?cmd=whoami
If the server returns the output of the command (e.g., the username running the web server), it indicates the presence of the vulnerability.
On the server, you can also scan for recently uploaded PHP files in the /textpattern/files/ directory using commands like:
- find /path/to/textpattern/files/ -name "*.php" -mtime -7
This command lists PHP files uploaded or modified in the last 7 days, which might help identify malicious uploads.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the file upload functionality in the Files section of the TextPattern CMS to prevent attackers from uploading malicious PHP shells.
Additionally, remove any suspicious or unknown PHP files found in the /textpattern/files/ directory.
Implement strict validation on uploaded files to ensure only allowed file types are accepted, blocking PHP or other executable files.
If possible, update TextPattern CMS to a version where this vulnerability is patched.
As a temporary measure, restrict access to the /textpattern/files/ directory via web server configuration to prevent execution of uploaded PHP files.