CVE-2021-47943 Overview
CVE-2021-47943 is a remote code execution vulnerability in TextPattern CMS 4.8.7. Authenticated attackers can upload arbitrary PHP files through the Files section in the content area. The uploaded payloads become directly accessible under /textpattern/files/, where attackers pass GET parameters to PHP functions such as system to execute operating system commands. The flaw is classified as Unrestricted Upload of File with Dangerous Type [CWE-434]. Public exploitation techniques are documented in Exploit-DB entries 49996 and 50415, making this a well-understood post-authentication attack against TextPattern deployments.
Critical Impact
Authenticated attackers can achieve arbitrary command execution on the underlying web server, leading to full compromise of the TextPattern CMS host.
Affected Products
- TextPattern CMS 4.8.7
- TextPattern CMS deployments exposing the /textpattern/files/ directory
- Web servers hosting TextPattern with PHP execution enabled in the files upload directory
Discovery Timeline
- 2026-05-10 - CVE-2021-47943 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47943
Vulnerability Analysis
The vulnerability resides in the file upload functionality available in the TextPattern administrative interface. An authenticated user with access to the Content > Files section can upload files without sufficient restrictions on file type or executable content. The application accepts PHP source files and stores them inside a web-accessible directory served by the same PHP interpreter that powers the CMS.
Once uploaded, the attacker requests the file directly at /textpattern/files/<filename>.php. The PHP runtime executes the attacker-controlled script, including any calls to dangerous functions such as system, exec, passthru, or shell_exec. GET parameters supplied in the request are passed straight into these functions, giving the attacker an interactive command channel.
Root Cause
The root cause is missing validation and enforcement around uploaded file types and execution context. TextPattern 4.8.7 does not block PHP extensions on upload and does not deny PHP execution within the files directory at the web server or application layer, satisfying the conditions described by [CWE-434].
Attack Vector
Exploitation requires valid authenticated credentials with permission to upload files. The attacker logs into the TextPattern admin panel, navigates to the Files section, and uploads a PHP webshell. The attacker then issues an HTTP GET request to /textpattern/files/shell.php?cmd=<command>, and the server returns the command output. Network access to the admin interface is the only additional prerequisite. Technical details and proof-of-concept payloads are available in the Exploit-DB #49996 and Exploit-DB #50415 entries, as well as the VulnCheck Advisory for Textpattern CMS.
Detection Methods for CVE-2021-47943
Indicators of Compromise
- New or unexpected .php, .phtml, or .phar files appearing under the /textpattern/files/ directory
- HTTP GET requests to /textpattern/files/ paths containing query parameters such as cmd=, c=, or shell-like command strings
- Web server processes (php-fpm, apache2, httpd, nginx) spawning child processes such as sh, bash, cmd.exe, whoami, or id
- Authenticated TextPattern sessions originating from unusual geolocations followed by file upload events in application logs
Detection Strategies
- Inspect web access logs for requests to /textpattern/files/*.php with query string parameters and correlate them with prior authenticated upload activity
- Monitor the file system for creation of executable script files within the TextPattern uploads directory using integrity monitoring
- Alert on the web server user account spawning interactive shells or system reconnaissance commands
Monitoring Recommendations
- Enable verbose application logging in TextPattern to capture file upload events with username, filename, and source IP
- Forward web server, file integrity, and process telemetry to a centralized analytics platform for correlation
- Baseline normal upload activity and alert on deviations such as PHP file extensions or large numbers of uploads from a single account
How to Mitigate CVE-2021-47943
Immediate Actions Required
- Upgrade TextPattern CMS to a version newer than 4.8.7 that addresses the file upload validation issue
- Restrict access to the TextPattern administrative interface using network controls, VPN, or IP allowlisting
- Rotate all administrative credentials and review accounts with file upload permissions for least privilege
- Audit the /textpattern/files/ directory for unauthorized scripts and remove any suspicious files
Patch Information
Review the VulnCheck Advisory for Textpattern CMS for fixed version guidance, and apply the latest TextPattern release available from the vendor. After upgrading, verify that PHP execution is no longer permitted within user upload directories.
Workarounds
- Configure the web server to deny execution of PHP and other server-side scripts under /textpattern/files/, for example using Apache <Directory> rules or an Nginx location block that returns 403
- Enforce an allowlist of permitted file extensions and validate MIME types at the application layer
- Apply multi-factor authentication on the TextPattern admin panel to reduce the risk of credential abuse leading to upload
# Apache: deny PHP execution inside the TextPattern files directory
<Directory "/var/www/textpattern/files">
php_admin_flag engine off
<FilesMatch "\.(php|phtml|phar)$">
Require all denied
</FilesMatch>
</Directory>
# Nginx equivalent
location ^~ /textpattern/files/ {
location ~ \.(php|phtml|phar)$ {
deny all;
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
