CVE-2021-47976

HIGH WAF: Low

CVSS 8.8 Published: 2026-05-16

CWE-352

TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to the textpattern/tmp/ directory for code execution.

WAF Coverage Analysis

Cross-Site Request Forgery (CSRF) Low WAF Coverage

OWASP: A01:2021 Broken Access Control

References

github.com
textpattern.com
www.exploit-db.com
www.vulncheck.com

Back to CVE Database