Textpattern: >> Textpattern >> 4.8.4 Security Vulnerabilities
An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.
CVSS Score
7.2
EPSS Score
0.053
Published
2023-04-12
Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-06-29
A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting https://site.com/articles/welcome-to-your-site#comments-head.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-08-19
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-04-15
Textpattern 4.8.4 is affected by cross-site scripting (XSS) in the Body parameter.
CVSS Score
4.8
EPSS Score
0.003
Published
2021-01-26