{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/e107/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2021-47937"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["e107 CMS 2.3.0"],"_cs_severities":["high"],"_cs_tags":["cve","rce","e107","web-shell","authenticated","CVE-2021-47937"],"_cs_type":"advisory","_cs_vendors":["e107"],"content_html":"\u003cp\u003ee107 CMS version 2.3.0 is vulnerable to remote code execution (CVE-2021-47937). This vulnerability allows authenticated users who possess theme installation permissions to execute arbitrary commands on the server. The attack involves uploading a specially crafted theme file through the \u003ccode\u003etheme.php\u003c/code\u003e endpoint. The uploaded theme package includes a web shell that is deployed to the \u003ccode\u003ee107_themes\u003c/code\u003e directory. Once deployed, attackers can execute arbitrary system commands by accessing the \u003ccode\u003epayload.php\u003c/code\u003e script, effectively gaining control of the server. This vulnerability poses a significant risk to e107 CMS deployments, as it enables unauthorized code execution and potentially full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the e107 CMS application with an account that has theme installation permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious theme package containing a PHP web shell (e.g., \u003ccode\u003epayload.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious theme package via the \u003ccode\u003etheme.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe e107 CMS installs the uploaded theme, placing the web shell (e.g., \u003ccode\u003epayload.php\u003c/code\u003e) within the \u003ccode\u003ee107_themes\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the deployed web shell (\u003ccode\u003ee107_themes/payload.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web shell executes arbitrary system commands specified in the HTTP request parameters (e.g., \u003ccode\u003epayload.php?cmd=whoami\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server executes the command, and the web shell returns the output to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to perform further actions such as escalating privileges, installing malware, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47937 leads to remote code execution, allowing attackers to gain complete control over the e107 CMS server. An attacker could potentially deface websites, steal sensitive data, install malware, or use the compromised server as a foothold for further attacks within the network. The CVSS v3.1 score of 8.8 highlights the high severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or upgrades provided by e107 to address CVE-2021-47937.\u003c/li\u003e\n\u003cli\u003eRestrict theme installation permissions to only highly trusted administrators to limit the attack surface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious e107 Theme Upload - CVE-2021-47937\u003c/code\u003e to identify attempts to upload malicious theme files.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to unusual PHP files within the \u003ccode\u003ee107_themes\u003c/code\u003e directory to detect web shell activity (e.g., \u003ccode\u003epayload.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement strict file upload validation to prevent the upload of potentially malicious files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:20:23Z","date_published":"2026-05-10T13:20:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47937-e107-rce/","summary":"e107 CMS 2.3.0 contains a remote code execution vulnerability (CVE-2021-47937) that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files, leading to arbitrary code execution on the server.","title":"CVE-2021-47937: e107 CMS Authenticated Remote Code Execution via Theme Upload","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47937-e107-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — E107","version":"https://jsonfeed.org/version/1.1"}