TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-352
TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)

The National Vulnerability Database (NVD) reports CVE-2021-47976, a high-severity remote code execution (RCE) vulnerability in TextPattern CMS version 4.9.0-dev. This flaw allows authenticated attackers to upload arbitrary PHP files by abusing the plugin upload functionality. The CVSSv3.1 score is 8.8 (High), indicating significant risk.

Attackers first need valid authentication. Once in, they can retrieve a Cross-Site Request Forgery (CSRF) token from the plugin event page. With this token, they can then upload malicious PHP files directly to the textpattern/tmp/ directory, leading to immediate code execution on the server. This is a classic authenticated RCE, leveraging a common web application weakness (CWE-352: Cross-Site Request Forgery).

While the NVD does not specify affected products beyond the version, the implications are clear for any organization running TextPattern CMS 4.9.0-dev. An authenticated RCE is a critical vulnerability that can lead to full system compromise, data exfiltration, or further lateral movement within a network. Defenders must prioritize patching and robust authentication controls.

What This Means For You

  • If your organization uses TextPattern CMS, specifically version 4.9.0-dev, you need to immediately verify your version and patch or upgrade. This isn't theoretical; an authenticated RCE means an attacker with even low-level access can completely compromise your web server. Audit your TextPattern logs for any suspicious plugin uploads or file modifications in the `textpattern/tmp/` directory.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1047 Windows Management Instrumentation Execution T1505.003 Server Software Component: Web Shell Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2021-47976 - TextPattern CMS Arbitrary PHP File Upload

Sigma YAML — free preview 
title: CVE-2021-47976 - TextPattern CMS Arbitrary PHP File Upload
id: scw-2026-05-16-ai-1
status: experimental
level: critical
description: |
  Detects the specific plugin upload functionality exploit in TextPattern CMS (CVE-2021-47976). Attackers authenticated to TextPattern CMS can exploit the plugin upload functionality to upload arbitrary PHP files. This rule looks for POST requests to the TextPattern index.php with specific parameters related to form events and plugin uploads, indicating an attempt to exploit this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2021-47976/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/textpattern/index.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'event=txp_form&step=upload'
      sc-status:
          - '200'
  selection_payload:
      referer|contains:
          - 'txp_form'
  condition: selection AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2021-47976 RCE TextPattern CMS 4.9.0-dev
CVE-2021-47976 RCE Authenticated arbitrary PHP file upload via plugin upload functionality
CVE-2021-47976 RCE Malicious PHP files uploaded to textpattern/tmp/ directory

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations

CVE-2021-47979 — WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 2 IOCs /⚙ 4 Sigma

EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access

CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2021-47954: Unauthenticated SQLi in LayerBB 1.1.4

CVE-2021-47954 — LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter....

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 4 IOCs /⚙ 3 Sigma