TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands
The National Vulnerability Database has detailed CVE-2021-47943, a high-severity remote code execution (RCE) vulnerability in TextPattern CMS version 4.8.7. This flaw enables authenticated attackers to execute arbitrary commands by leveraging the platform’s file upload functionality. Specifically, an attacker can upload a malicious PHP shell via the ‘Files’ section within the content area.
Once uploaded, this PHP shell can be accessed and triggered at /textpattern/files/, allowing attackers to pass GET parameters directly to system functions. The National Vulnerability Database assigns a CVSS score of 8.8 (HIGH) to this vulnerability, highlighting its significant impact and ease of exploitation, given the network vector and low privileges required.
This is a classic file upload bypass scenario, falling under CWE-434 (Unrestricted Upload of File with Dangerous Type). For defenders, this means a compromised user account on a TextPattern CMS instance is all an attacker needs to gain full control. The attacker’s calculus is simple: obtain low-level authenticated access, upload a web shell, and then escalate privileges or pivot within the network.
What This Means For You
- If your organization uses TextPattern CMS, especially version 4.8.7, you need to verify your patch status immediately. Authenticated RCE is a critical vulnerability that attackers will absolutely leverage. Audit your TextPattern instances for any unauthorized file uploads in the `/textpattern/files/` directory and review logs for suspicious activity, even if you’ve patched.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47943 - TextPattern CMS PHP Shell Upload
title: CVE-2021-47943 - TextPattern CMS PHP Shell Upload
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
Detects the specific access pattern to a PHP file uploaded via the TextPattern CMS file upload vulnerability (CVE-2021-47943). Attackers upload a PHP shell to the '/textpattern/files/' directory and access it via GET requests with PHP execution parameters, allowing for RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47943/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/textpattern/files/'
cs-method:
- 'GET'
cs-uri-query|contains:
- '.php'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47943 | RCE | TextPattern CMS version 4.8.7 |
| CVE-2021-47943 | RCE | Authenticated file upload functionality in TextPattern CMS |
| CVE-2021-47943 | RCE | PHP file upload via 'Files' section in content area |
| CVE-2021-47943 | RCE | Accessing uploaded file at /textpattern/files/ with GET parameters |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 10, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection
CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...
CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)
CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...
WordPress Plugin Survey & Poll SQLi Puts Data at Risk
CVE-2021-47941 — WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious...