Description
TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to the textpattern/tmp/ directory for code execution.
Published: 2026-05-16
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TextPattern CMS versions include a flaw that lets attackers, once authenticated, upload arbitrary PHP files by leveraging the plugin upload feature. The vulnerability is realized by retrieving a CSRF token from the plugin event page, then submitting a malicious file to the textpattern/tmp/ directory. The resulting file execution grants the attacker remote code execution privileges on the server, effectively enabling full compromise of the affected site. The weakness is identified as a Cross‑Site Request Forgery (CWE‑352).

Affected Systems

The affected product is TextPattern CMS. All developmental, beta, and stable releases of version 4.9.0 are impacted, including 4.9.0‑dev, 4.9.0, 4.9.0‑beta, 4.9.0‑beta1, 4.9.0‑beta1a, and 4.9.0‑beta2.

Risk and Exploitability

The CVSS score of 8.7 suggests a high severity vulnerability with complete impact on confidentiality, integrity, and availability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated session and the ability to request the CSRF token, indicating that the primary attack vector is via a web interface using authenticated credentials. The presence of a proof‑of‑concept may increase the likelihood of exploitation in the wild.

Generated by OpenCVE AI on May 16, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of TextPattern CMS that removes the flaw
  • If an immediate upgrade is not possible, disable the plugin upload functionality to block the upload vector
  • Restrict write permissions on the textpattern/tmp/ directory so that uploaded files cannot be executed
  • Monitor the tmp directory for unauthorized file uploads and review access logs for anomalous activity

Generated by OpenCVE AI on May 16, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to the textpattern/tmp/ directory for code execution.
Title TextPattern CMS 4.9.0-dev Authenticated Remote Code Execution via Plugin Upload
First Time appeared Textpattern
Textpattern textpattern
Weaknesses CWE-352
CPEs cpe:2.3:a:textpattern:textpattern:4.9.0-dev:*:*:*:*:*:*:*
cpe:2.3:a:textpattern:textpattern:4.9.0:-:*:*:*:*:*:*
cpe:2.3:a:textpattern:textpattern:4.9.0:beta1:*:*:*:*:*:*
cpe:2.3:a:textpattern:textpattern:4.9.0:beta1a:*:*:*:*:*:*
cpe:2.3:a:textpattern:textpattern:4.9.0:beta2:*:*:*:*:*:*
cpe:2.3:a:textpattern:textpattern:4.9.0:beta:*:*:*:*:*:*
Vendors & Products Textpattern
Textpattern textpattern
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Textpattern Textpattern
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:16.409Z

Reserved: 2026-05-16T14:41:11.033Z

Link: CVE-2021-47976

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:23.107

Modified: 2026-05-16T16:16:23.107

Link: CVE-2021-47976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:30:27Z

Weaknesses