{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file_upload/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2021-47943"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TextPattern CMS 4.8.7"],"_cs_severities":["high"],"_cs_tags":["cve","rce","file_upload","textpattern_cms"],"_cs_type":"threat","_cs_vendors":["Textpattern"],"content_html":"\u003cp\u003eTextPattern CMS 4.8.7 is vulnerable to remote code execution (CVE-2021-47943). This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying server. The attack vector involves exploiting the file upload functionality within the CMS. An attacker with valid user credentials can upload a specially crafted PHP file, effectively a webshell, to the server. Once the file is uploaded, the attacker can then trigger the execution of arbitrary commands by accessing the uploaded file via a direct HTTP request, passing commands as GET parameters. This can lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the TextPattern CMS 4.8.7 application with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the \u0026ldquo;Files\u0026rdquo; section within the content area of the CMS.\u003c/li\u003e\n\u003cli\u003eAttacker uploads a malicious PHP file (webshell) through the file upload functionality. This file contains PHP code designed to execute system commands.\u003c/li\u003e\n\u003cli\u003eThe CMS saves the uploaded file to the /textpattern/files/ directory.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request to access the uploaded PHP file (e.g., /textpattern/files/shell.php).\u003c/li\u003e\n\u003cli\u003eThe GET request includes parameters that are passed to the \u003ccode\u003esystem\u003c/code\u003e function within the uploaded PHP file (e.g., /textpattern/files/shell.php?cmd=id).\u003c/li\u003e\n\u003cli\u003eThe server executes the system command specified in the GET parameter via the \u003ccode\u003esystem\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe output of the executed command is returned to the attacker in the HTTP response, allowing the attacker to gain command execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants the attacker the ability to execute arbitrary commands on the web server. This could lead to complete compromise of the server, data exfiltration, defacement of the website, or further lateral movement within the network. While the specific number of affected installations is unknown, any TextPattern CMS 4.8.7 instance with authenticated users is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of TextPattern CMS to remediate CVE-2021-47943.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2021-47943 TextPattern File Upload RCE\u0026rdquo; to detect attempts to exploit this vulnerability by monitoring for access to uploaded PHP files in the \u003ccode\u003e/textpattern/files/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload policies, including file type validation and size limits, to prevent the upload of malicious files.\u003c/li\u003e\n\u003cli\u003eRestrict access to the /textpattern/files/ directory to authorized users only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:21:12Z","date_published":"2026-05-10T13:21:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-textpattern-rce/","summary":"TextPattern CMS 4.8.7 contains a remote code execution vulnerability (CVE-2021-47943) that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files and accessing them with crafted GET requests.","title":"TextPattern CMS 4.8.7 Authenticated Remote Code Execution via File Upload (CVE-2021-47943)","url":"https://feed.craftedsignal.io/briefs/2026-05-textpattern-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — File_upload","version":"https://jsonfeed.org/version/1.1"}