CVE-2021-47976 Overview
CVE-2021-47976 affects TextPattern CMS version 4.9.0-dev and enables authenticated remote code execution through the plugin upload functionality. Attackers with valid credentials can retrieve a Cross-Site Request Forgery (CSRF) token from the plugin event page and upload arbitrary PHP files to the textpattern/tmp/ directory. Once uploaded, the attacker can request the file directly to execute arbitrary PHP code on the server. The weakness is categorized under [CWE-352] (Cross-Site Request Forgery), though the practical impact is full code execution on the underlying host.
Critical Impact
Authenticated attackers can achieve full remote code execution on the web server by abusing the plugin upload feature, leading to complete compromise of the CMS host.
Affected Products
- TextPattern CMS 4.9.0-dev
- Installations exposing the plugin event page to authenticated users
- Web servers hosting TextPattern with writable textpattern/tmp/ directories
Discovery Timeline
- 2026-05-16 - CVE-2021-47976 published to the National Vulnerability Database (NVD)
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47976
Vulnerability Analysis
The vulnerability resides in the plugin upload workflow exposed by the TextPattern administrative interface. The plugin event page issues a CSRF token, but the upload handler does not enforce sufficient validation on the uploaded file's type or content. An authenticated user can submit a multipart request containing a PHP payload, and the application writes the file to textpattern/tmp/ without restricting executable content. The attacker then issues an HTTP request to the uploaded PHP file, causing the web server to execute the payload under the server process context. Reference details are documented in the VulnCheck Advisory for Textpattern and Exploit-DB #50095.
Root Cause
The root cause is insufficient validation of plugin file uploads. The plugin handler trusts authenticated input and allows arbitrary file extensions, including PHP, to land in a directory served by the web server. The CSRF token requirement is the only meaningful gate, which any authenticated attacker can satisfy by parsing the plugin event page.
Attack Vector
The attack requires network access to the administrative interface and a valid authenticated session with privileges to access the plugin event page. The attacker performs three operations: authenticate to TextPattern, fetch the CSRF token from the plugin page, and submit a crafted multipart upload containing PHP source. Execution is triggered by requesting the dropped file under textpattern/tmp/.
No verified proof-of-concept code is reproduced here. Technical details and exploitation steps are available in the Exploit-DB entry #50095.
Detection Methods for CVE-2021-47976
Indicators of Compromise
- Unexpected PHP files present in the textpattern/tmp/ directory or other web-accessible upload paths
- HTTP POST requests to plugin upload endpoints originating from unusual source IPs or user agents
- Outbound network connections from the web server process immediately following plugin upload activity
- New administrator sessions followed by access to the plugin event page outside normal maintenance windows
Detection Strategies
- Monitor web server access logs for POST requests to plugin upload URLs followed by GET requests to files in textpattern/tmp/
- Implement file integrity monitoring on the textpattern/ directory tree to identify new or modified PHP files
- Inspect uploaded files for PHP tags or known web shell signatures before they are written to disk
Monitoring Recommendations
- Enable verbose authentication logging on the TextPattern admin interface and alert on privileged actions
- Correlate web server process spawns of shells, curl, wget, or php interpreters with preceding HTTP requests
- Forward web and host telemetry to a centralized logging platform for retrospective hunting against known IOCs
How to Mitigate CVE-2021-47976
Immediate Actions Required
- Restrict access to the TextPattern admin interface to trusted IP ranges or place it behind a VPN
- Audit existing administrator accounts and rotate credentials for any account with plugin management rights
- Inspect textpattern/tmp/ and remove any unauthorized PHP files discovered during review
- Disable plugin upload functionality in production until a fixed release or hardening is applied
Patch Information
TextPattern 4.9.0-dev is a development branch. Operators should upgrade to a stable release that addresses the plugin upload validation gap. Track release notes via the GitHub Textpattern Repository and the Textpattern Official Site for current versions and security fixes.
Workarounds
- Configure the web server to deny execution of PHP files inside textpattern/tmp/ using directory-level handler restrictions
- Enforce strict file extension allowlists at a Web Application Firewall (WAF) for all multipart uploads
- Require multi-factor authentication for administrative accounts to raise the cost of credential abuse
# Apache: deny PHP execution within the tmp directory
<Directory "/var/www/textpattern/textpattern/tmp">
php_flag engine off
<FilesMatch "\.(php|phtml|phar)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
