← back
CVE-2021-47943

TextPattern CMS 4.8.7 Remote Code Execution via File Upload

CVSS 8.7 HIGHEPSS 0.6%CWE-434
TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Textpattern · TextPattern CMS
public PoCs found2
cve_referencewww.exploit-db.com/exploits/49996unverifiedcve_referencewww.exploit-db.com/exploits/50415unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.exploit-db.com/exploits/49996https://www.exploit-db.com/exploits/50415https://www.vulncheck.com/advisories/textpattern-cms-remote-code-execution-via-file-upload