CVE-2021-47976 Textpattern CVE debrief

Who should care

Textpattern CMS administrators, security teams, and anyone operating affected development or pre-release instances with plugin upload enabled should prioritize review. Sites that allow authenticated users to manage plugins or otherwise reach the plugin event workflow are the primary concern.

Technical summary

The supplied NVD record and reference text indicate a post-authentication RCE condition in the plugin upload functionality of Textpattern CMS 4.9.0-dev. The attack path involves obtaining a CSRF token from the plugin event page and then using the upload mechanism to store a malicious PHP file in textpattern/tmp/, where it can be executed. The source item associates the vulnerability with CWE-352 and a high-severity impact profile.

Defensive priority

High

Recommended defensive actions

• Review whether any Textpattern CMS instances are running affected 4.9.0-dev code or other vulnerable builds.
• Restrict access to plugin management features to trusted administrative accounts only.
• Verify that CSRF protections are enforced on all plugin-related actions.
• Audit the textpattern/tmp/ directory and related upload locations for unexpected PHP files or other executable content.
• Remove or disable unnecessary plugin upload capability in environments where it is not required.
• Monitor authentication events and file-creation activity around plugin management workflows.
• Apply the vendor's fixed release or mitigation guidance once confirmed for the affected code line.

Evidence notes

The debrief is based only on the supplied NVD source item and its listed references. The source item states: authenticated attackers can upload arbitrary PHP files through plugin upload functionality and achieve code execution in textpattern/tmp/. The same record lists CWE-352 and a high-impact CVSS profile. References supplied with the record include the Textpattern GitHub repository, the Textpattern website, a VulnCheck advisory, and an Exploit-DB entry.

Official resources