CVE-2021-47783

MEDIUM

phpwcms 1.9.30 - Authenticated Unrestricted Upload of Dangerous File via SVG File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47783. PoCs published by Okan Kurtulus.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in Phpwcms 1.9.30 by uploading an SVG file containing JavaScript code. The exploit requires authentication and leverages a file upload feature to achieve XSS.

Description

Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform.

Exploits (1)

exploitdb WORKING POC
by Okan Kurtulus · textwebappsphp
https://www.exploit-db.com/exploits/50363

This exploit demonstrates an arbitrary file upload vulnerability in Phpwcms 1.9.30 by uploading an SVG file containing JavaScript code. The exploit requires authentication and leverages a file upload feature to achieve XSS.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Phpwcms 1.9.30
Auth required
Prerequisites: Valid credentials for the target system · Access to the file upload functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, VDB Entry exploit
https://www.exploit-db.com/exploits/50363
Product product
http://www.phpwcms.org/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/phpwcms-arbitrary-file-upload

Scores

CVSS v3 5.4
EPSS 0.0028
EPSS Percentile 19.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-434
Status published
Products (2)
phpwcms/phpwcms 1.9.30
Phpwcms/Phpwcms 1.9.30
Published Jan 16, 2026
Tracked Since Feb 18, 2026