Cyber Resilience

CVE-2021-47888

HighPublic PoC

Published: 23 January 2026

Published
23 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 44.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47888 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47888 is an authenticated remote code execution vulnerability in Textpattern content management system versions prior to 4.8.3. It stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), enabling logged-in users to upload malicious PHP files containing shell command execution payloads. By accessing the uploaded file via a specific URL parameter, attackers can trigger arbitrary command execution on the server.

The vulnerability requires network access and low privileges (PR:L), with no user interaction needed, as indicated by its CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Any authenticated user, such as a contributor or low-level admin, can exploit it to gain full server compromise, including data exfiltration, persistence, or further lateral movement within the environment.

Mitigation involves upgrading to Textpattern 4.8.3 or later, as specified in the vulnerability details. Advisories from sources like VulnCheck and public exploits on Exploit-DB (e.g., 49620) highlight the issue, with Textpattern's official site providing relevant resources for patching.

A proof-of-concept exploit is publicly available on Exploit-DB, increasing the risk of real-world abuse against unpatched installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the…

more

uploaded file through a specific URL parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) via authenticated file upload of PHP web shells (T1100) for remote command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Textpattern
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation by upgrading to Textpattern 4.8.3 or later directly eliminates the unrestricted PHP file upload vulnerability enabling RCE.

prevent

Information input validation on file uploads rejects dangerous PHP files, directly countering CWE-434 unrestricted upload of dangerous types.

preventdetect

Malicious code protection mechanisms scan and block uploaded PHP shells at system entry points, mitigating execution even if uploads occur.

References