e107 CMS RCE (CVE-2021-47937) Allows Authenticated Theme Uploads to Drop Web Shells

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-434
e107 CMS RCE (CVE-2021-47937) Allows Authenticated Theme Uploads to Drop Web Shells

The National Vulnerability Database has detailed CVE-2021-47937, a high-severity remote code execution (RCE) vulnerability impacting e107 CMS version 2.3.0. This flaw enables authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files.

Attackers can exploit this by crafting a theme package and uploading it via the theme.php endpoint. This action deploys a web shell to the e107_themes directory, subsequently allowing the execution of system commands through a payload.php script. The National Vulnerability Database assigns this vulnerability a CVSS v3.1 score of 8.8 (High), highlighting the significant risk it poses.

This is a critical oversight. Any system where an attacker can gain even low-level authenticated access, then leverage that to drop a web shell, is a system that’s already compromised. Defenders need to assume that if an attacker gets a foothold, they will escalate. This vulnerability provides a direct path to full system control, bypassing deeper network segmentation controls once inside the perimeter.

What This Means For You

  • If your organization uses e107 CMS, especially version 2.3.0, you need to immediately audit user permissions for theme installation. Revoke unnecessary access. This RCE allows authenticated users to drop web shells, leading to full system compromise. Patching or upgrading e107 CMS should be your top priority.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1505.003 Server Software Component: Web Shell Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

e107 CMS Theme Upload Web Shell - CVE-2021-47937

Sigma YAML — free preview 
title: e107 CMS Theme Upload Web Shell - CVE-2021-47937
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
  Detects the specific endpoint and parameters used in the e107 CMS CVE-2021-47937 vulnerability. Attackers exploit the theme installation functionality via theme.php to upload malicious theme packages, leading to web shell deployment.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2021-47937/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|endswith:
          - '/theme.php'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'theme_install=true'
  selection_payload:
      cs-uri-query|contains:
          - 'theme_name='
  condition: selection AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2021-47937 RCE e107 CMS version 2.3.0
CVE-2021-47937 RCE Vulnerable endpoint: theme.php for theme package upload
CVE-2021-47937 RCE Malicious theme file upload leading to web shell deployment in e107_themes directory
CVE-2021-47937 RCE Command execution via payload.php script after web shell deployment

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 10, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection

CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)

CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-59
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 3 Sigma

TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands

CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma