{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/textpattern/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2021-47976"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TextPattern CMS 4.9.0-dev"],"_cs_severities":["high"],"_cs_tags":["rce","csrf","textpattern"],"_cs_type":"advisory","_cs_vendors":["Textpattern"],"content_html":"\u003cp\u003eTextPattern CMS version 4.9.0-dev is susceptible to a remote code execution (RCE) vulnerability, identified as CVE-2021-47976. This flaw allows authenticated attackers to upload malicious PHP files to the server, leading to arbitrary code execution. The vulnerability resides within the plugin upload functionality. An attacker must first authenticate to the TextPattern CMS application. Once authenticated, the attacker can retrieve a valid CSRF token from the plugin event page. This token is then used in conjunction with the malicious PHP file upload request to bypass CSRF protections, placing the malicious code in the textpattern/tmp/ directory. This vulnerability poses a significant risk to organizations using the affected TextPattern CMS version, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the TextPattern CMS 4.9.0-dev web application.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the plugin event page to retrieve a valid CSRF token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP file designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a file upload request targeting the plugin upload functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the retrieved CSRF token within the upload request to bypass CSRF protection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP file is successfully uploaded to the textpattern/tmp/ directory on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the uploaded PHP file by accessing it via a web request.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP file executes arbitrary commands on the server, granting the attacker control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47976 can lead to complete compromise of the TextPattern CMS server. An attacker can gain unauthorized access to sensitive data, modify website content, install backdoors, or use the compromised server as a launchpad for further attacks against other systems within the network. Due to the potential for full system compromise, this vulnerability poses a critical risk to organizations utilizing the affected TextPattern CMS version.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates provided by Textpattern to address CVE-2021-47976.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Textpattern CMS PHP Upload via CVE-2021-47976\u0026rdquo; to detect attempts to exploit this vulnerability via webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads to the /textpattern/tmp/ directory, and cross-reference with authentication events.\u003c/li\u003e\n\u003cli\u003eReview and restrict plugin upload permissions within TextPattern CMS to only authorized administrators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:22:09Z","date_published":"2026-05-16T16:22:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-textpattern-rce/","summary":"TextPattern CMS 4.9.0-dev is vulnerable to remote code execution (CVE-2021-47976), allowing authenticated attackers to upload arbitrary PHP files and achieve code execution by exploiting the plugin upload functionality.","title":"CVE-2021-47976 - TextPattern CMS Authenticated Remote Code Execution via Plugin Upload","url":"https://feed.craftedsignal.io/briefs/2026-05-textpattern-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Textpattern","version":"https://jsonfeed.org/version/1.1"}