CVE-2021-47888

HighPublic PoC

Published: 23 January 2026

Published

23 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0052 67.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the…

uploaded file through a specific URL parameter.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation by upgrading to Textpattern 4.8.3 or later directly eliminates the unrestricted PHP file upload vulnerability enabling RCE.

SI-10 Information Input Validation good match

prevent

Information input validation on file uploads rejects dangerous PHP files, directly countering CWE-434 unrestricted upload of dangerous types.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection mechanisms scan and block uploaded PHP shells at system entry points, mitigating execution even if uploads occur.

Security SummaryAI

CVE-2021-47888 is an authenticated remote code execution vulnerability in Textpattern content management system versions prior to 4.8.3. It stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), enabling logged-in users to upload malicious PHP files containing shell command execution payloads. By accessing the uploaded file via a specific URL parameter, attackers can trigger arbitrary command execution on the server.

The vulnerability requires network access and low privileges (PR:L), with no user interaction needed, as indicated by its CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Any authenticated user, such as a contributor or low-level admin, can exploit it to gain full server compromise, including data exfiltration, persistence, or further lateral movement within the environment.

Mitigation involves upgrading to Textpattern 4.8.3 or later, as specified in the vulnerability details. Advisories from sources like VulnCheck and public exploits on Exploit-DB (e.g., 49620) highlight the issue, with Textpattern's official site providing relevant resources for patching.

A proof-of-concept exploit is publicly available on Exploit-DB, increasing the risk of real-world abuse against unpatched installations.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) via authenticated file upload of PHP web shells (T1100) for remote command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://textpattern.com/
disclosure@vulncheck.com
https://textpattern.com/start
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49620
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/textpattern-remote-code-execution
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49620
134c704f-9b21-4f2e-91b3-4a467353bcc0